In the Draft Circular Numbered 2022/2 on Establishing Criteria for Identity Authentication and Process Security in the Establishment of Contractual Relationship in Electronic Banking Services and Electronic Medium (“Draft Circular”), it was stated that the attached explanations of the Draft Circular (“Explanations”) should be taken into consideration in order to clarify the uniform application of certain provisions of the Regulation on Information Systems and Electronic Banking Services of Banks, the Regulation on Remote Identity Detection Methods to be Used by Banks and the Establishment of a Contractual Relationship in the Electronic Medium, and the Regulation on the Operational Principles of Digital Banks and Banking as a Service regarding identity authentication and process security in electronic banking service channels without compromising process security and to eliminate any doubts that may arise in this regard in the implementation of these provisions.
According to the Explanations:
- Pursuant to the provisions of the Regulation on Information Systems and Electronic Banking Services of Banks regarding authentication and process security and authentication and process security in internet banking, except in cases where the customers have first installed the mobile banking application and activated, reactivated the mobile application or the application is unavailable, it is not possible to send an OTP or “verification code” via SMS to verify any process after the session, and such notifications via SMS should only be resorted to in exceptional cases specified in the provisions and it is not necessary to make this a routine practice.
- It is stated that within the mobile application interface of those who will operate as an interface provider in accordance with the Regulation on the Operational Principles of Digital Banks and Banking as a Service, the Specific Software Development Kit of the service bank should be embedded and the process signing flows specified in the Draft Circular should be transmitted through a separate end-to-end secure channel dedicated to the service bank’s Specific Software Development Kit in this mobile application interface and this Specific Software Development Kit, and it should be executed through the Security Server of the service bank, configured to communicate.
- The Explanations also include the matters regarding WYSIWYS principle and the adaptation of the products used, developed and purchased for identity authentication and process signing.
You can access the full Turkish text of the Draft Circular from the link below.