Turkey: Digital Revolution: Remote Customer Identification In Banking Sector

I. General Overview

Banking sector is undergoing a transformation thanks to the digitalization and technological innovations. As part of this digital revolution, Article 76 of the Banking Law No. 5411 ("Banking Law") was amended to enable execution of electronic agreements for banking services in the previous months.

The Banking Regulatory and Supervisory Authority ("BRSA") has very recently taken this digitalization movement one step further and presented the Draft Communiqué on Remote Identification Methods to be used by Banks ("Draft Communiqué") to the public opinion on September 21, 2020. In this article, our aim is to reveal major changes introduced with the Draft Communiqué.

II. Remote Identification

The Draft Communiqué introduces remote identification method that banks may use for new customers and verification of customer identity.

Remote identification process will be carried out between the potential customer and customer representative through online video call and without the necessity of the potential customer being physically present at branch of the bank.

According to Article 4/3 of the Draft Communiqué, it will be required to maintain sufficient security level by taking into account possible technological, operational and other similar risks that may arise from the remote identification process. Remote identification process will be reviewed and necessary updates will be made, in case of the following: (i) security incidents and fraud attempts; (ii) amendments in the relevant legislation; (iii) possible fraud and (iv) impotencies in the remote identification method.

Article 6/1 of the Draft Communiqué states that potential customer's application will be received through a form before conducting the remote identification method and risk assessment will be made through the data acquired via this form. The remote identification will be made in real time and uninterruptedly. Furthermore, potential customer's explicit consent will be recorded at the beginning of the video conference call.

It will be ensured that the integrity and confidentiality of the audio-visual communication between the customer representative and potential customer is at an adequate level. For this purpose, videoconference call will be carried out through end-to-end secure communication

III. Identity Documents to be Used and Authentication of the Persons

Identity documents which (i) may be visually distinguished under white light and (ii) have the following minimum requirements will be used during the remote identification process: rainbow print, optical variable ink, and hidden image, hologram micro lettering security items, photo and wet signature. Verification of the validity and authenticity of the data as well as information included on the identity document will be carried out as part of the remote identification process.

During the video call, an SMS OTP (one-time password delivered through short message service) that is solely for identification process will be sent to the potential customer. The remote identification process will be completed once the SMS OTP is entered to the application interface by this person and is successfully confirmed by the system.

Article 9 of the Draft Communiqué stipulates that the remote identification process will be cancelled, if the process is prevented from running as usual due to the issues such as poor lighting conditions or poor image quality, or if any inconsistency, uncertainty or fraud is discovered in the process or in the documents presented by the potential customer.

As per Article 11 of the Draft Communiqué, the entire remote identification process will be recorded and stored.

IV. Responsibility Arising From Remote Identification

The bank will be responsible to ensure that adequate solutions are used in order to minimize the risk of misidentification of the person. In this regard, the bank should apply additional security and control methods depending on the type and amount of the transactions performed. The burden of proof will be on the bank in case of an objection to the transaction that imposes obligations on the persons or third parties.

As a precautionary measure, the BRSA will be authorized to restrict or halt the remote identification process as a result of the evaluation of the bank's compliance with the relevant legislation, complaints and fraudulent actions and when deemed necessary.

V. Conclusion

The BRSA has recently presented the Draft Communiqué to the public opinion. The Draft Communiqué has been prepared in accordance with the amended Article 76 of the Banking Law which enables entering into electronic agreements in the banking sector. The Draft Communiqué will allow banks to conduct authentication of the identities of the potential customers remotely and electronic banking transactions in Turkey will be carried forward to a next level.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in December 2020. A link to the full Legal Insight Quarterly may be found here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.