Brief of Authentication and BRSA Circular No. 2023/1 on Authentication and Transaction Security
Technological developments directly affect processes such as the identification and verification of individuals' identities. In particular, the fact that this process is carried out remotely and contracts are concluded electronically increases the significance of identification and verification processes day by day. Indeed, it is critical, particularly in regulated sectors, to reliably and accurately determine and verify whether a person is who they claim to be, without physically coming together with them. It is also significant that the process is carried out with adopting "transaction security" from tip to stern.
This matter has been regulated in Turkey within the legislation in an accelerated manner, particularly in recent years. In this context, the regulation structure is shaped by the relevant competent institutions and organizations by issuing their own regulations. Accordingly, each competent authority, by taking into account its own sector dynamics and sensitivities, introduces differentiating terms and conditions for the identification and verification processes of individuals. In addition to all these, the identification and verification regulations that can be carried out through the Turkish identity card are regulated in parallel under a separate roof.
The institutions and organizations that have introduced authentication and identification regulations for their respective sectors are as follows:
- Banking Regulation and Supervision Agency: Regulates the procedures and principles for remote identification that could be used by financial leasing, factoring, financing and savings financing companies, particularly banks.
- Information and Communication Technologies Authority: Regulates the procedures and principles regarding remote identity verification, particularly in the electronic communication sector.
- Financial Crimes Investigation Board: It regulates the procedures and principles to be followed within the identification of the customers with whom the obliged parties have a continuous business relationship, particularly within the scope of the "Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism".
- Capital Markets Board: It regulates the procedures and principles to be followed in remote identification methods of intermediary institutions and portfolio management companies and in the identity verification procedures of obliged persons within the scope of the "Communiqué on Information Systems Management".
- Central Bank of the Republic of Turkey: The Central Bank of the Republic of Turkey regulates the procedures and principles to be followed during the authentication and identification of payment services and electronic money issuers and payment service providers.
As we have mentioned, in addition to these, the Republic of Turkey Identity Card Regulation and the Republic of Turkey Identity Card Electronic Authentication System Regulation appear as the general legislation regulating the procedures and principles regarding the works and transactions to be carried out regarding the Turkish identity card.
In this context, the latest recent development is the Circular No. 2023/1 on the Criteria to be Provided for Authentication and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationships in Electronic Environment (Circular) issued by the Banking Regulation and Supervision Agency (BRSA) on 27 March 2023. The BRSA had published the draft Circular No. 2022/2 (Draft Circular) regarding additional explanations on the criteria to be provided for identity verification and transaction security in electronic banking services and the establishment of contractual relationships in electronic environment. The Draft Circular was particularly vocal in the relevant sectors and included long-awaited regulations. You can access the The Fine Print November 2022 article, where we evaluated the Draft Circular here and the full text of the relevant Draft Circular here (only available in Turkish).
The Circular regulates the following in general terms:
- Identity verification and transaction security in banks' electronic banking service channels,
- Compliance process with the relevant articles of the Regulation on Information Systems and Electronic Banking Services, which stipulates that banks should use techniques that enable irrefutability and responsibility assignment for both the bank and customers in transactions to be carried out by banks,
- Technical details on authentication and transaction security by banks and the establishment of contractual relationships in electronic environment,
- Details on the authentication and transaction security of Financial Leasing, Factoring, Financing and Savings Finance Companies and the establishment of contractual relationships electronically,
- Details of the Software Development Kit (SDK) to be used for transaction signing and the creation of a Security Server (SS) configured to communicate directly with this SDK through a separate secure channel, technical obligations and WYSIWYS principles regarding the transaction signing processes to be carried out through the SDK and SS,
- Technical requirements for building mobile application interfaces.
In this context, the Circular imposes significant obligations on banks, financial leasing, factoring, financing and savings finance companies and other institutions under the supervision of the BRSA, as well as institutions providing authentication/transaction signing services to them. Among the noteworthy amendments are the permission obligation, arrangements for the execution of end-to-end transactions under specific technical rules and the Regulation on Remote Identification Methods to be Used by Financial Leasing, Factoring, Financing and Savings Financing Companies and Establishment of Contractual Relationships in Electronic Environment. Moreover, the authorization obligation in the Circular is a critical regulation. Prior to the Circular, there was no such permission/license obligation for external service providers in the BRSA legislation.
For suppliers providing services related to authentication systems, it is another critical issue to comply with the different regulations in each sector. The BRSA also included regulations that differ from other institutions with the Circular.
You can reach the full text of the Circular here (only available in Turkish).