Long-Awaited Regulation On Information Systems Of Banks And Electronic Banking Services Has Finally Arrived
The Regulation on Information Systems of Banks and Electronic Banking Services ("Regulation") which was drafted in order to replace Communiqué on Principles on the Management of Information Systems' of Banks ("Communiqué") has been published in the Official Gazette numbered 31069 and dated 15 March 2020. As you may recall, the initial draft version of the Regulation was published on the website of the Banking Regulation and Supervision Agency ("BRSA"), in December 2018, for public feedback. Since then, the review of the Regulation was continuing with the consideration of the feedback taken from stakeholders (e.g. limited to the banks).
The final version of the Regulation as published in the Official Gazette, will come into force as of 01 July 2020.
The Regulation contains detailed rules on information systems used by banks including those regarding;
Therefore, the Regulation will have significant impact on business operations carried out by (i) banks, (ii) auditing firms, (iii) technology firms offering outsource services to banks, (iv) firms offering open banking products.
The system and data localization requirement ("on-soil requirement") brought in Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks ("Internal System Regulation") which obliges the banks to locate their primary and secondary systems within Turkey remains unchanged. The banks will continue to have their primary and secondary IT systems in the Turkish territory. However, the Regulation provides further details and clarifications on both definition and scope of the requirement.
Clarifications on the definition and scope: The Regulation has some important clarifications on the scope of primary/secondary systems. Pursuant to the new provision:
Primary/Secondary Systems on the Cloud: The Regulation explicitly allows banks to procure cloud-based information services. Nevertheless, such services are subjected to certain strict conditions:
In summation, the Regulation states that; (i) banks may use cloud computing services as an outsource service, (ii) cloud services used for primary and secondary systems must be established inside Turkey, (iii) cloud services may be used for primary and secondary systems if it is procured by a private cloud service model allocating hardware and software resources to a single bank, (iv) cloud service may only be used as an outsource service with the approval of the Board if it is procured by semi-public cloud service model in which hardware and software resources shared physically among institutions subject to Authority's supervision with logical separation. Finally, the Board is now entitled to amend institutions which may fall within the scope of community cloud service if it deems necessary.
The situation with regards to cloud usage by banks according to the Regulation can be pictured as follows. Please note that localization requirement for primary and secondary systems were already in place. The Regulation only provides more details on the methods of cloud usage:
Article 10 of the Regulation titled 'Data Sharing' is drafted in a way that reflects and complements the data transfer regime recognized under Article 73 of the Banking Law numbered 5411.
Sharing and transfer of data held by banks is mainly regulated under Article 73 of Banking Law numbered 5411. Please note that, Article 73 of Banking Law have been recently amended (on 25 February 2020). Prior to the amendment, Article 73 provided a general secrecy obligation for banks concerning banking and customer secrets and exceptions of this general confidentiality obligation. However, issues such as, what constituted a 'customer secret', whether a customer may consent its data to be shared to third parties or whether BRSA had an explicit authority to limit the cross-border transfers of banks was not regulated. With the amendment, following issues have been cleared:
Definition: The Regulation provides a broad definition of "outsource service". The definition covers almost all information systems related to the services procured by Banks: "Including support services within the scope of Regulation on Support Service Procurement of Banks, all services outsourced by banks concerning their information systems, that has the potential to affect confidentiality, integrity and accessibility of banking information or continuity of banking services or that has access to banking information or receives such information"
Mandatory Content Requirement: The Regulation has established conditions for the procurement of outsourcing services. Similar to the mandatory content requirement established by the previous Communiqué for support services, mandatory contents for the agreement to be executed during outsourced service procurements are provided under Regulation. These mandatory contents do not differ significantly from those previously envisaged under the Communiqué.
Conditions for Outsourcing: Pursuant to the Regulation, banks shall fulfill following requirements especially on assessing and managing risks while having outsourced services.
Preference of local products: Regulation regulates that banks are required to pay utmost care (although not being explicitly obliged) to procure products and services within the scope of banks' critical information systems and security that are produced in Turkey or provided by providers that have their research and development centers in Turkey. The wording of the provision has not been drafted as an obligation but as a strong recommendation. However, it has been regulated that providers and producers or such products shall be required to have a response team in Turkey.
The internet banking regulation, which has been regulated in detail in the Communiqué, is regulated under the definition of electronic banking services in a way that include "all kinds of electronic distribution channels where customers can realize or instruct the bank to realize banking transactions remotely such as internet banking, mobile banking, phone banking, open banking services, ATM and kiosk devices".
Regarding the transactions to be performed on electronic banking services, it is stated that it will be ensured that the reverse of any transaction offered through electronic distribution channels is performable through the same electronic distribution channel, as long as it is possible and does not pose a higher risk.
Mediums with Mandatory Authentication: The authentication mechanism regulated in the Regulation has been basically written in parallel with the Communiqué. Besides, within the scope of electronic banking services, it has been regulated that the authentication mechanism that banks shall apply to their customers shall be implemented to all electronic banking services, including transactions that do not bear financial consequences such as viewing of the customer information. For example, customers shall need to be authenticated during access to applications where only their expenditure and miscellaneous information are viewed.
Identity Authentication Method: In electronic banking services, an identity authentication mechanism consisting of at least 2 (two) separate components shall be applied. These two components will be chosen to belong to two different classes of elements that are either "known to", "owned by" by the customer or "has a biometric characteristic".
Likewise, the requirement of a 2 (two) factor ID authentication are considered fulfilled in case (i) the component owned by the customer is specific to customer and may not be imitated and (ii) this encryption key triggers the online authentication mechanism before the bank. Within this scope, authentication methods that are working as an integrated part of a device and allowing the access to the mobile banking application is explicitly allowed to be used for 2 (two) factor authentication. However, passwords, PIN or biometric data, which are not under the control of the mobile banking application, but are under the control of the device manufacturer, will not be used as components in the authentication processes.
In the Regulation, it has been regulated that during authentication over the internet banking distribution channels, the authentication shall be done online by the bank and that the element known by the customer should not be sent automatically as remembered by browser or mobile banking application or by connecting to other local identity verification methods.
While no such requirement has been foreseen before in the Communiqué, according to the Regulation, where banking services are offered over the telephone, it should be ensured that (i) the representative does not see information relevant to the customer or transaction menu relevant to the customer is not active unless the 2 (two) factor authentication has been passed and that (ii) after the relevant authentication is made, customer representative may only access to customer information that is required. Within this scope, when the access to the telephone banking is established, it shall not be appropriate to show the customer information and address the customer with this information prior to the authentication.
In the Regulation, it is regulated that at least 2 (two) factor authentication shall be applied during transactions that are conducted through ATMs, where the same transaction would have necessitated legal identity documentation to be provided if the same transaction were to be conducted at the bank's physical branch office. It can be assumed that the said "transactions necessitating legal identity presentation" are transactions realized without any payment instrument (such as card) since banks' identity verification obligations are regulated mainly under the Law on the Prevention of Laundering Proceeds of Crime numbered 5549 and its secondary legislation.
In the event that identity verification mechanisms are not conducted in accordance with the foregoing, the burden of proof shall be on the bank to demonstrate that transactions are made by the customer.
It has been regulated that customers, who will benefit from the electronic banking services offered by the bank shall be clearly informed about the conditions, risks and exceptional circumstances regarding the services. Regulation has brought more detailed and strict provisions compared to the Communiqué with respect to notifications made to the customer through electronic channels. Within this scope, information and explanations that need to be provided to customers within the scope of electronic banking services should be demonstrated in a clear and understandable manner on the areas of the relevant channels that are easy to be recognized. In order to ensure appropriate notification procedure, Regulation has made it obligatory for banks to implement (i) systemic limitations in order to ensure that customers read relevant notification at least 1 (one) time before receiving electronic banking services, (ii) measures necessary for the reading of security warnings and announces mandatory to be presented to customers after they start receiving services. Because of this explicit provision, (i) notifications embedded to links will not be deemed in compliance with the legislation and (ii) forced scroll down methods obliging customers to scroll to read the whole text should be opted.
It should also be noted that it is essential to send all kinds of information having the characteristics of sensitive data or secret data, such as statements, receipts, account abstract, that the bank will convey to its customers in the electronic environment through channels that offer electronic banking services.
The bank is obliged to provide necessary guidance to its customers in order to enable using electronic distribution channels in presenting such information.
SMS OTP in Identity Verification: Excluding OPTs and authentication code to be sent via SMS within the scope of initial set-up, activation or reactivation of the mobile banking applications, the Regulation forbids sending OTPs or authentication code via SMS to the customers who have activated their mobile banking application for logging-in or verification of any transaction following logging-in or using it as an identity verification element.
On the other hand, unless the changes mentioned below have been confirmed, SMS OTP cannot be sent to the customers who have changed their SIM card or moved their phone number, for any transaction for 90 (ninety) days starting from the date of the change, and the SMS OTP cannot be used as an authentication method for the aforementioned customers during the provision of related electronic banking services. While confirming the changes, the burden of proof shall be on the bank to demonstrate that transactions are made by the customer for any transactions performed without using two-factor authentication.
Security: It must be ensured that the source of any software or mobile application that are offered for the use in electronic banking services is able to be verified as the related bank. In addition, banks are obliged to (i) ensure that related software or mobile applications do not contain any code that could compromise customer security; (ii) provide necessary patches and updates to the customer usage to address security flaws; (iii) ensure that sensitive data is inaccessible by other applications and transactions in cases of use of multi-purpose mobile devices for transmitting multiple authentication components, such as smartphones; (iv) provide up-to-date controls to ensure that sensitive data are inaccessible by unauthorized persons if mobile devices are lost or stolen.
Offering of Services: With the Regulation, articles on open banking application, whose legal infrastructure has been prepared with the amendments made in the Law No. 6493 and has its source in the Directive, have been introduced. Within this scope, open banking services are described as "Electronic distribution channel where customers or parties acting on behalf of the customers can realize or may instruct the banks for the realization of transactions by remotely accessing financial services provided by banks through methods such as API, web services, document transfer protocol" and services allowing customers to reach their financial data and give instruction are included within the scope. Although there is no detailed regulation about open banking services in the Regulation, the BRSA has been given the authority to designate services to be provided via this method and principles and procedures relevant to these services.
As you may recall, with the amendments made in the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions numbered 6493 ("Law No. 6493") at the end of 2019, two new payment services, "access to payment accounts" and "instructions to payment accounts", have been defined. These services are also considered as "open banking" services. As it can be seen, "open banking" services are included in both the Law No. 6493 and the Regulation. The question that may arise is what the scope of these two regulations are and whether there are contradictory issues. It should be noted that although these two regulations have intersecting parts, it is also necessary to state that they regulate different issues with respect to scope. In this regard;
Payment account requirement:
Title of those providing access
Title of those accessing
In terms of Content of Services
On the other hand, contrary to the requirement set out under the Directive, under the Regulation there is no obligation for banks to provide API for open banking services. For this reason, it is considered that the issue will be clarified by the secondary legislation to be issued by the BRSA (and the Central Bank in terms of payment services legislation).
Authentication: Without prejudice to requirements under the Law on Prevention of Laundering Proceeds of Crime numbered 5549 and secondary legislation, it has been regulated that banks may receive services in order to identify its customer or entity acting in the name of the customer through open banking services from another bank who has realized identity verification before on the said customer or entity acting on the name of the customer. In this regard, the establishment of the technological infrastructure for the "third party reliance" concept provided under the Article 21 of Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime is pursued.
As seen in the article, it is regulated that the banks can make remote authentication; even they can receive information regarding authentication of another bank through "open banking services". It is necessary to pay attention that although this regulation has been introduced by the BRSA, as it is also mentioned in the article, this regulation has been made without prejudice to Financial Crimes Investigation Board ("MASAK") regulations; in other words, MASAK regulations, which currently entail face-to-face authentication (with the exception of simplified authentication procedures), are still in force. Accordingly, as long as MASAK regulations remain in their current version, banks will not be able to authenticate remotely on electronic environment only based on this provision.