The Regulation on Information Systems of Banks and Electronic Banking Services ("Regulation") which was drafted in order to replace Communiqué on Principles on the Management of Information Systems' of Banks ("Communiqué") has been published in the Official Gazette numbered 31069 and dated 15 March 2020. As you may recall, the initial draft version of the Regulation was published on the website of the Banking Regulation and Supervision Agency ("BRSA"), in December 2018, for public feedback. Since then, the review of the Regulation was continuing with the consideration of the feedback taken from stakeholders (e.g. limited to the banks).
The final version of the Regulation as published in the Official Gazette, will come into force as of 01 July 2020.
2. The Scope
The Regulation contains detailed rules on information systems used by banks including those regarding;
- Establishment and management of information systems of banks,
- Information security of banks,
- Outsource information system service procurement of banks,
- Electronic banking services (e.g. online, mobile, phone banking services),
- Open banking.
Therefore, the Regulation will have significant impact on business operations carried out by (i) banks, (ii) auditing firms, (iii) technology firms offering outsource services to banks, (iv) firms offering open banking products.
3. On-Soil Requirement for Primary and Secondary Systems of Banks
The system and data localization requirement ("on-soil requirement") brought in Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks ("Internal System Regulation") which obliges the banks to locate their primary and secondary systems within Turkey remains unchanged. The banks will continue to have their primary and secondary IT systems in the Turkish territory. However, the Regulation provides further details and clarifications on both definition and scope of the requirement.
Clarifications on the definition and scope: The Regulation has some important clarifications on the scope of primary/secondary systems. Pursuant to the new provision:
- Regardless of number of backup systems, all systems that may be qualified as primary system back-ups will be regarded as secondary system and will be required to be kept in Turkish territory.
- The main criterion to determine whether a system is primary (or secondary) is identified by the Regulation: Pursuant to the new provision, the banks are expected to assess whether (i) any business operation is carried out on and/or (ii) any sensitive information or secret information is processed, hosted or transferred on the system in question. The Regulation made it clear that systems on which there is no banking operation are carried out, such as intra-company messaging systems or market monitoring platforms, will not be deemed as primary system and be subjected to relevant obligations. As a side note, the availability of the cloud services for the test or development processes is not clarified by the Regulation, as no explicit reference is provided for those in the article.
- Outsource services within the scope of the primary systems are also qualified as primary systems and need to be located in Turkish territory. That means, third parties providing software or cloud services to the banks with regard to their primary systems are required to host their systems and data in Turkey.
Primary/Secondary Systems on the Cloud: The Regulation explicitly allows banks to procure cloud-based information services. Nevertheless, such services are subjected to certain strict conditions:
- First, if such services fall under the definition of primary or secondary systems, the on-soil requirement will be applicable and such systems may only be hosted on Turkish territory.
- Secondly, the cloud systems to be offered to banks must be either (i) allocated only to the bank that will be procuring services (i.e. private cloud) or (ii) shared between entities that are subjected to the supervision of BRSA and the bank's systems must be serviced separately via logical separation on the system (i.e. semi-public cloud). In the latter case, the bank wishing to use such system must obtain permission from the BRSA.
In summation, the Regulation states that; (i) banks may use cloud computing services as an outsource service, (ii) cloud services used for primary and secondary systems must be established inside Turkey, (iii) cloud services may be used for primary and secondary systems if it is procured by a private cloud service model allocating hardware and software resources to a single bank, (iv) cloud service may only be used as an outsource service with the approval of the Board if it is procured by semi-public cloud service model in which hardware and software resources shared physically among institutions subject to Authority's supervision with logical separation. Finally, the Board is now entitled to amend institutions which may fall within the scope of community cloud service if it deems necessary.
The situation with regards to cloud usage by banks according to the Regulation can be pictured as follows. Please note that localization requirement for primary and secondary systems were already in place. The Regulation only provides more details on the methods of cloud usage:
4. Data Sharing
Article 10 of the Regulation titled 'Data Sharing' is drafted in a way that reflects and complements the data transfer regime recognized under Article 73 of the Banking Law numbered 5411.
Sharing and transfer of data held by banks is mainly regulated under Article 73 of Banking Law numbered 5411. Please note that, Article 73 of Banking Law have been recently amended (on 25 February 2020). Prior to the amendment, Article 73 provided a general secrecy obligation for banks concerning banking and customer secrets and exceptions of this general confidentiality obligation. However, issues such as, what constituted a 'customer secret', whether a customer may consent its data to be shared to third parties or whether BRSA had an explicit authority to limit the cross-border transfers of banks was not regulated. With the amendment, following issues have been cleared:
- Although not being a new term within the banking legislation, the Article 73 now specifically defines the scope of the "customer secret". The data of natural and legal persons generated after engaging in a customer relationship and are specific to banking activities will be deemed as "customer secrets" and therefore such information will be subjected to the transfer regime provided under the article (e.g. IBAN number, credit scores, bank account transactions).
- Without prejudice to the mandatory provisions of other laws,
information having characteristics of customer secret shall not
be shared with or transferred to third parties in Turkey or abroad
without a particular request or
instruction from the customer, even if the explicit
consent of the customer is received pursuant to the Law on the
Protection of Personal Data numbered 6698, except for cases
exempted from the confidentiality obligation. The Regulation
further requires such requests or instructions to be obtained in a
demonstrable manner (in writing or via permanent data storage
Please note that, where a cross-border data transfer of customer secrets is in question, even if such request or instruction is received from the customer (or the transfer falls under a case exempted from the confidentiality obligation), cross-border data transfer regime foreseen under data protection regulations will have to be obeyed.
- As a result of its evaluation regarding economic security, the BRSA will be authorized to prohibit the sharing or transfer of all kinds of data having the characteristics of customer secrets or bank secrets with third parties abroad.
- Within this respect, the BRSA will also be authorized to decide whether banks are required to establish their information systems, used by them to carry out their activities, and the backups of these systems within Turkey. The rules brought by the Regulation can be seen as the execution of this newly acquired authority.
- Information deemed as customer secrets or bank secrets may only be shared under the principles of purpose limitation and proportionality and only with the amount of data required by such purposes. This rule will apply also for cases exempt from confidentiality obligations.
Definition: The Regulation provides a broad definition of "outsource service". The definition covers almost all information systems related to the services procured by Banks: "Including support services within the scope of Regulation on Support Service Procurement of Banks, all services outsourced by banks concerning their information systems, that has the potential to affect confidentiality, integrity and accessibility of banking information or continuity of banking services or that has access to banking information or receives such information"
Mandatory Content Requirement: The Regulation has established conditions for the procurement of outsourcing services. Similar to the mandatory content requirement established by the previous Communiqué for support services, mandatory contents for the agreement to be executed during outsourced service procurements are provided under Regulation. These mandatory contents do not differ significantly from those previously envisaged under the Communiqué.
Conditions for Outsourcing: Pursuant to the Regulation, banks shall fulfill following requirements especially on assessing and managing risks while having outsourced services.
- It has been explicitly forbidden for banks to conduct critical services and critical work flows within the scope of standard agreements where they cannot perform their obligations with respect to agreements to be executed including mandatory content.
- In line with the principles defined by banks under their security policies, banks shall be obliged to make necessary organizational changes in order to keep risks resulting from outsourcing in control, to define administrative procedures and appoint a responsible person having adequate knowledge and experience to carry out the relationship with the outsource service provider.
- Banks are required to ensure that outsource providers are to be required to obtain permission from the bank prior involving sub-service providers to the provision of their services to banks.
- As a precaution for the cases where outsource service provider ceases its activities, the Regulation regulates that the banks shall obtain the source codes of the software relevant to all critical applications from the beginning or an escrow mechanism shall be established for such source codes.
Preference of local products: Regulation regulates that banks are required to pay utmost care (although not being explicitly obliged) to procure products and services within the scope of banks' critical information systems and security that are produced in Turkey or provided by providers that have their research and development centers in Turkey. The wording of the provision has not been drafted as an obligation but as a strong recommendation. However, it has been regulated that providers and producers or such products shall be required to have a response team in Turkey.
6. Electronic Banking
The internet banking regulation, which has been regulated in detail in the Communiqué, is regulated under the definition of electronic banking services in a way that include "all kinds of electronic distribution channels where customers can realize or instruct the bank to realize banking transactions remotely such as internet banking, mobile banking, phone banking, open banking services, ATM and kiosk devices".
Regarding the transactions to be performed on electronic banking services, it is stated that it will be ensured that the reverse of any transaction offered through electronic distribution channels is performable through the same electronic distribution channel, as long as it is possible and does not pose a higher risk.
Mediums with Mandatory Authentication: The authentication mechanism regulated in the Regulation has been basically written in parallel with the Communiqué. Besides, within the scope of electronic banking services, it has been regulated that the authentication mechanism that banks shall apply to their customers shall be implemented to all electronic banking services, including transactions that do not bear financial consequences such as viewing of the customer information. For example, customers shall need to be authenticated during access to applications where only their expenditure and miscellaneous information are viewed.
Identity Authentication Method: In electronic banking services, an identity authentication mechanism consisting of at least 2 (two) separate components shall be applied. These two components will be chosen to belong to two different classes of elements that are either "known to", "owned by" by the customer or "has a biometric characteristic".
Likewise, the requirement of a 2 (two) factor ID authentication are considered fulfilled in case (i) the component owned by the customer is specific to customer and may not be imitated and (ii) this encryption key triggers the online authentication mechanism before the bank. Within this scope, authentication methods that are working as an integrated part of a device and allowing the access to the mobile banking application is explicitly allowed to be used for 2 (two) factor authentication. However, passwords, PIN or biometric data, which are not under the control of the mobile banking application, but are under the control of the device manufacturer, will not be used as components in the authentication processes.
In the Regulation, it has been regulated that during authentication over the internet banking distribution channels, the authentication shall be done online by the bank and that the element known by the customer should not be sent automatically as remembered by browser or mobile banking application or by connecting to other local identity verification methods.
While no such requirement has been foreseen before in the Communiqué, according to the Regulation, where banking services are offered over the telephone, it should be ensured that (i) the representative does not see information relevant to the customer or transaction menu relevant to the customer is not active unless the 2 (two) factor authentication has been passed and that (ii) after the relevant authentication is made, customer representative may only access to customer information that is required. Within this scope, when the access to the telephone banking is established, it shall not be appropriate to show the customer information and address the customer with this information prior to the authentication.
In the Regulation, it is regulated that at least 2 (two) factor authentication shall be applied during transactions that are conducted through ATMs, where the same transaction would have necessitated legal identity documentation to be provided if the same transaction were to be conducted at the bank's physical branch office. It can be assumed that the said "transactions necessitating legal identity presentation" are transactions realized without any payment instrument (such as card) since banks' identity verification obligations are regulated mainly under the Law on the Prevention of Laundering Proceeds of Crime numbered 5549 and its secondary legislation.
In the event that identity verification mechanisms are not conducted in accordance with the foregoing, the burden of proof shall be on the bank to demonstrate that transactions are made by the customer.
It has been regulated that customers, who will benefit from the electronic banking services offered by the bank shall be clearly informed about the conditions, risks and exceptional circumstances regarding the services. Regulation has brought more detailed and strict provisions compared to the Communiqué with respect to notifications made to the customer through electronic channels. Within this scope, information and explanations that need to be provided to customers within the scope of electronic banking services should be demonstrated in a clear and understandable manner on the areas of the relevant channels that are easy to be recognized. In order to ensure appropriate notification procedure, Regulation has made it obligatory for banks to implement (i) systemic limitations in order to ensure that customers read relevant notification at least 1 (one) time before receiving electronic banking services, (ii) measures necessary for the reading of security warnings and announces mandatory to be presented to customers after they start receiving services. Because of this explicit provision, (i) notifications embedded to links will not be deemed in compliance with the legislation and (ii) forced scroll down methods obliging customers to scroll to read the whole text should be opted.
It should also be noted that it is essential to send all kinds of information having the characteristics of sensitive data or secret data, such as statements, receipts, account abstract, that the bank will convey to its customers in the electronic environment through channels that offer electronic banking services.
The bank is obliged to provide necessary guidance to its customers in order to enable using electronic distribution channels in presenting such information.
9. SMS OTP Notifications
SMS OTP in Identity Verification: Excluding OPTs and authentication code to be sent via SMS within the scope of initial set-up, activation or reactivation of the mobile banking applications, the Regulation forbids sending OTPs or authentication code via SMS to the customers who have activated their mobile banking application for logging-in or verification of any transaction following logging-in or using it as an identity verification element.
On the other hand, unless the changes mentioned below have been confirmed, SMS OTP cannot be sent to the customers who have changed their SIM card or moved their phone number, for any transaction for 90 (ninety) days starting from the date of the change, and the SMS OTP cannot be used as an authentication method for the aforementioned customers during the provision of related electronic banking services. While confirming the changes, the burden of proof shall be on the bank to demonstrate that transactions are made by the customer for any transactions performed without using two-factor authentication.
10. Electronic Banking Applications
Security: It must be ensured that the source of any software or mobile application that are offered for the use in electronic banking services is able to be verified as the related bank. In addition, banks are obliged to (i) ensure that related software or mobile applications do not contain any code that could compromise customer security; (ii) provide necessary patches and updates to the customer usage to address security flaws; (iii) ensure that sensitive data is inaccessible by other applications and transactions in cases of use of multi-purpose mobile devices for transmitting multiple authentication components, such as smartphones; (iv) provide up-to-date controls to ensure that sensitive data are inaccessible by unauthorized persons if mobile devices are lost or stolen.
11. Open Banking
Offering of Services: With the Regulation, articles on open banking application, whose legal infrastructure has been prepared with the amendments made in the Law No. 6493 and has its source in the Directive, have been introduced. Within this scope, open banking services are described as "Electronic distribution channel where customers or parties acting on behalf of the customers can realize or may instruct the banks for the realization of transactions by remotely accessing financial services provided by banks through methods such as API, web services, document transfer protocol" and services allowing customers to reach their financial data and give instruction are included within the scope. Although there is no detailed regulation about open banking services in the Regulation, the BRSA has been given the authority to designate services to be provided via this method and principles and procedures relevant to these services.
As you may recall, with the amendments made in the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions numbered 6493 ("Law No. 6493") at the end of 2019, two new payment services, "access to payment accounts" and "instructions to payment accounts", have been defined. These services are also considered as "open banking" services. As it can be seen, "open banking" services are included in both the Law No. 6493 and the Regulation. The question that may arise is what the scope of these two regulations are and whether there are contradictory issues. It should be noted that although these two regulations have intersecting parts, it is also necessary to state that they regulate different issues with respect to scope. In this regard;
Payment account requirement:
- In the new services brought by Law No. 6493; there is a requirement to "connect to another payment service provider's payment account". In other words, the access of a payment service provider, which will offer this new service, can only be made to another payment account; services to be performed by accessing the bank other than accessing and/or instructing to the payment account are not a payment service under Law No. 6493.
- As of the definition of "Open banking" stated in the Regulation, there is no such limitation in terms of open banking activities within the scope of the Regulation. Whether the access to the payment account is realized or not; it is possible to remotely access "a financial service" offered by the bank or to give instructions to perform this activity. Therefore, it will be possible to say that its scope is much wider in terms of financial services that can be offered under the Regulation.
Title of those providing access
- New services brought by the Law No. 6493 can only be performed by a payment institution that has obtained permission from the Central Bank ("CB").
- On the other hand, customers can access open banking services defined by the Regulation directly or through parties acting on their behalf; and those providing access do not have to be payment institutions.
- However, it should be noted that if the service accessed within the scope of the Regulation is an access or instruction service to a payment account, Law No. 6493 will also have to be applied and these services can only be offered by payment institutions that have obtained permission from CB. Accordingly, it can be stated that provisions of both the Law No. 6493 and the Regulation shall be applied for the services within this scope.
Title of those accessing
- Within the scope of the newly introduced services with the Law No. 6493, payment accounts accessed do not have to belong to a bank; access to a payment institution's payment account shall likewise be considered within the scope of newly introduced payment services.
- However, in open banking services brought by the Regulation, the party to which access is provided must be a bank, access to financial services that do not belong to banks will not be considered within the scope of the Regulation.
In terms of Content of Services
- The scope of new services brought by Law No. 6493 (access and instruction to payment account) has been determined by Law No. 6493; however, pursuant to the Article 14/A of the Law No. 6493, the Central Bank will determine the principles and procedures for sharing data during access.
- The scope and definitions of the services brought by the Regulation are not clear. Pursuant to the Article 41/2 of the Regulation, "the Board (BRSA) will be authorized to determine the services that can be provided through open banking services and the procedures and principles regarding these services".
On the other hand, contrary to the requirement set out under the Directive, under the Regulation there is no obligation for banks to provide API for open banking services. For this reason, it is considered that the issue will be clarified by the secondary legislation to be issued by the BRSA (and the Central Bank in terms of payment services legislation).
Authentication: Without prejudice to requirements under the Law on Prevention of Laundering Proceeds of Crime numbered 5549 and secondary legislation, it has been regulated that banks may receive services in order to identify its customer or entity acting in the name of the customer through open banking services from another bank who has realized identity verification before on the said customer or entity acting on the name of the customer. In this regard, the establishment of the technological infrastructure for the "third party reliance" concept provided under the Article 21 of Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime is pursued.
As seen in the article, it is regulated that the banks can make remote authentication; even they can receive information regarding authentication of another bank through "open banking services". It is necessary to pay attention that although this regulation has been introduced by the BRSA, as it is also mentioned in the article, this regulation has been made without prejudice to Financial Crimes Investigation Board ("MASAK") regulations; in other words, MASAK regulations, which currently entail face-to-face authentication (with the exception of simplified authentication procedures), are still in force. Accordingly, as long as MASAK regulations remain in their current version, banks will not be able to authenticate remotely on electronic environment only based on this provision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.