20 Dec, 2023

Legal Requirements for Identity Verification in Banking, Brokerage Institutions and Electronic Communications Sectors

It is important for every sector to verify the identities of real or legal persons for contracts, agreements or any transaction to be made electronically. In this regard, there are practices and legislation put forward by the relevant institutions of the sector for many sectors in Turkey. Let's examine together these practices and legislation prepared by relevant institutions for some sectors.

Banking sector

Authentication plays an important role for both traditional banking and remote banking. While traditional banking verifies the identity of people by presenting their identity document, various methods have been introduced for remote banking.

According to the Regulation on Remote Identity Detection Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment [1] published by the Banking Regulation and Supervision Agency (BDDK), the methods that can be used for remote identity verification by banks are as follows:

  • Biometric Authentication: The customer's identity is verified using methods such as fingerprint, face recognition and voice recognition.
  • Technological Authentication: The customer's identity is verified using methods such as electronic signature, mobile signature and e-Government password.
  • Personal Information Verification: Identity verification is made by verifying the information contained in the customer's identity document.

Banks can verify their customers' identities remotely by using one or more of these methods.

In addition to the BRSA, changes regarding remote identification have been published by the Financial Crimes Investigation Board (MASAK) [2] with the Communiqué on Amendments to the General Communiqué of the Financial Crimes Investigation Board of the Ministry of Treasury and Finance. According to these changes;

  • “Near Field Communication” and “Security Elements” methods were defined. It is said that identification through Near Field Communication should basically be carried out with an identity document. It is stated that if the identity cannot be verified with this method, the security elements included in the identity document must be verified in terms of form and content.
  • It has been stated that in remote identification, the process should be carried out online, uninterrupted, video and in real time.
  • If the remote identification process is carried out partially or completely by procuring services, it is mandatory for the organization to receive the service to have the TS EN ISO/IEC 27001 Information Security Management System certificate.
  • It has been regulated that remote identification operations performed by the customer representative can be carried out partially or completely online and with artificial intelligence-based methods.

Brokerage Institutions

The Capital Markets Board has stated the procedures and principles for remote identity verification and establishing a contractual relationship in the Communiqué on Remote Identification Methods to be Used by Brokerage Houses and Portfolio Management Companies and Establishing a Contractual Relationship in Electronic Environment [5]. According to the notification;

  • Remote identification process can be carried out visually in online environments,
  • Among special categories of personal data, biometric data can only be used with the person's explicit consent and the conversation can be recorded,
  • Video calls will be carried out in an end-to-end secure manner, in a timely and uninterrupted manner, and in case of suspicion of fraud or forgery, the call will be terminated,
  • Security in the remote identification process is entirely in the hands of portfolio management companies,
  • Electronic contracts can only be concluded after a properly carried out identity verification process.

stated. Additionally, with the Amendment Communiqué;

  • The necessity of transmitting a copy of the contracts established electronically to the customer by electronic or physical means,
  • It is stated that for investment services offered electronically by the brokerage firm, it is necessary to apply an authentication mechanism and verification code consisting of at least two components.

Electronic Communications Sector

Regulation of the remote identity verification process in the electronic communications sector is regulated by the Information Technologies and Communications Authority Regulation on the Process of Verifying the Applicant's Identity in the Electronic Communications Sector [4].

This Regulation, in the electronic communications sector,

  • subscription agreement,
  • Number porting application,
  • Application for change of operator,
  • Qualified electronic certificate application,
  • Registered e-mail application
  • SIM change application

It covers the procedures and principles regarding the process to be applied to verify the identity of the applicant in case the documents related to the transactions are prepared electronically. According to this regulation;

  • Companies serving in the sector will be able to perform remote identity verification through face-to-face channels, their own websites, mobile applications or similar channels.
  • e-Government Gateway for identity verification transactions, visual verification through artificial intelligence or authorized persons, along with a document with near field communication feature in accordance with the ICAO 9303 standard,
  • Creating PAdES together with TCKK,
  • In face-to-face channels, taking a video image that will be specific to the process along with the applicant's identity document

It is stated that the remote identity verification process can be carried out using these methods and each item is detailed.

  • Service providers/operators;
  • Preservation of identity information,
  • It is encrypted while being transferred for authentication purposes,
  • The purpose of the transaction,
  • Protection against unauthorized access or uncontrolled changes contrary to the principle of separation of duties,
  • Keeping transaction records regarding all processes carried out in information systems by ensuring their confidentiality, security and integrity,

At this point, service providers/operators must manage the process well and take necessary security measures, taking into account possible technological, operational and similar risks.

BDDK Compatibility Package

Prepared by Turkish Cyber Security Cluster member companies, the BRSA Compliance Package is a solution that provides a higher level of security for confidential customer information by offering new standards for data security and mobile device security. The package has been prepared in accordance with the procedures and principles of the aforementioned legal legislation.

  • Provides security solutions for mobile applications and app shielding. Along with these solutions, the “Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in Electronic Media” (BRSA) [1] In the 3rd Section of Article 4, possible technological, operational and It is ensured that adequate security measures are taken, taking into account similar risks, and compliance with the principle is ensured. The solutions provided for the security of mobile applications are compatible with BRSA legislation [1], as well as MASAK [2] and BTK [3] regulations.
  • There are solutions to prevent fraud within the adaptation package. With these solutions; Taking the necessary security measures for fraud or forgery in the relevant legislation of BRSA [1], BTK [4] and CMB [5] condition is met.
  • Within the framework of the legislation published by CMB [5], BRSA [1], BTK [4] and MASAK [2], both face-to-face and remote identity verification processes It aims to ensure safe execution. BRSA Compliance Package also offers solutions compatible with the relevant legal legislation.
  • With the relevant regulations and communiqués, remote customer acquisition and use and comparison of biometric data in the remote identity verification process has been made legal. Additionally, in the remote authentication process, the use of SMS OTP (One Time Password) is offered as an option for identification. BRSA Compliance Package helps to meet the requirements of the legislation in question.
  • This package is part 5 of Chapter 2 of the "Communiqué on Remote Identification Methods to be Used by Brokerage Houses and Portfolio Management Companies and the Establishment of Contractual Relationships in Electronic Media" [5] published by the CMB. Article 2 and 3 of the "Communiqué on Amendments to the General Communique of the Financial Crimes Investigation Board (Sequence No: 19)" [2] published by MASAK and "Article No. 24" published by BTK. Regulation on the Process of Verifying the Applicant's Identity in the Electronic Communications Sector ”in [3,4 ] covers the whole.

Identity verification and electronic contract processes are of vital importance for the banking, brokerage firms and electronic communications sectors. In these sectors, various authentication methods have been determined to ensure customer security and privacy and to secure transactions carried out electronically.

These regulations contribute to the healthy and safe continuation of digital transformation in the sector. Institutions operating in the sector must constantly review their security measures in order to fully comply with regulations regarding solutions such as the BRSA Compliance Package and provide a safe digital experience to their customers.

For detailed information about Legal Obligations for Identity Verification in Banking, Intermediary Institutions and Electronic Communications Sectors click.

SOURCE

[1] “Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment” (BDDK) published in the Official Gazette dated 1 April 2021 and numbered 31441.

https://www.resmigazete.gov.tr/eskiler/2021/04/20210401-7.htm

[2] “Communiqué on Amendments to the Financial Crimes Investigation Board General Communiqué (Sequence No: 19) (Sequence No: 24)” published in the Official Gazette dated 11 August 2023 and numbered 32276 (Ministry of Treasury and Finance)

https://www.resmigazete.gov.tr/eskiler/2023/08/20230811-4.htm

[3] “Regulation on the Process of Verifying the Applicant's Identity in the Electronic Communications Sector” (BTK) published in the Official Gazette dated 26 June 2021 and numbered 31523.

https://resmigazete.gov.tr/eskiler/2021/06/20210626-21.htm

[4] Decision dated 18 May 2021 and numbered 2021/DK-BTD/129 “Regulation on the Process of Verifying the Applicant's Identity in the Electronic Communications Sector” (BTK)

https://www.btk.gov.tr/uploads/boarddecisions/elektronik-haberlesme-sektorunde-basvuru-sahibinin-kimliginin-dogrulanma-sureci-hakkinda-yonetmelik/129-2021-web.pdf

[5] “Communiqué on Remote Identification Methods to be Used by Intermediary Institutions and Portfolio Management Companies and Establishment of Contractual Relationship in Electronic Environment (III-42.1)” published in the Official Gazette dated 8 February 2022 and numbered 31744 (Capital Markets Board).

https://resmigazete.gov.tr/eskiler/2022/02/20220208-3.htm

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
The importance of identity verification for electronic transactions is examined within the framework of the practices and legislation determined by the relevant institutions in the banking, intermediary institutions and electronic communications sectors in Turkey. Details are in our content.
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram