REGULATION ON REMOTE IDENTIFICATION METHODS TO BE USED BY BANKS AND ESTABLISHMENT OF CONTRACTUAL RELATIONSHIP IN ELECTRONIC ENVIRONMENT

  1. Introduction

    Published in the Official Gazette dated 01.04.2021 and entered into force on 01.05. 2021 and entered into force on 01.05.2021, the purpose and scope of the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment (‘Regulation’), as regulated in its first article, is to regulate the procedures and principles regarding the remote identification methods that can be used by banks to acquire new customers and the establishment of a contractual relationship over an information or electronic communication device, whether distant or not, as a substitute for the written form or at a distance, for the banking services to be provided following the identification of the customer identity. In this context, it is understood that the innovation introduced under the Regulation is aimed at new customers.

    The Regulation stipulates that the Remote Identification method will be applied without prejudice to the provisions of the legislation, primarily the Law on Prevention of Laundering Proceeds of Crime and the Personal Data Protection Law (‘KVKK’).

    Remote Identification Process Fiction

    Article 4 of the Regulation defines remote identification, emphasises that the method should be designed in such a way as to involve a minimum level of risk, and mentions the security measures to be taken in the video call method.

    Accordingly, the process cannot be managed by a single person, and a three-stage system design is envisaged, which will be subject to certain controls after the process is initiated and completed in line with approval and additional controls. Accordingly, the process is summarised as (i) initiation of the process by the person, (ii) continuation of the process with the controls applied by information technologies, (iii) completion with the approval and additional controls to be made by the customer representative, and it is regulated that if the transaction is found risky in the controls made by the customer representative, it will be sent for a second approval or terminated.

    Since the ‘Regulation on Banks’ Information Systems and Electronic Banking Services‘ (’BSEBY”) is already in place regarding any risk factors or security vulnerabilities that may occur during the execution of the processes related to Remote Identification, there is no need for a separate regulation on the same subject in this Regulation. In the context of Article 43 of the BSEBY titled ‘remote identification and trust in third parties’, the establishment of distance contracts with remote communication tools in financial services (banking transactions, credit cards, etc.), the secondary legislation of the BRSA and the regulations of the Financial Crimes Investigation Board (MASAK) regarding the requirements of applications within the scope of remote identification and trust in third parties had entered our daily lives as of 01.01.2021. Therefore, the innovation introduced within the scope of this Regulation is important for newly acquired customers, and the aforementioned security measures were already taken and implemented.

    Pursuant to Article 5 titled ‘Customer Representative to perform remote identification and working environment’, the video call phase will be carried out by customer representatives who have received training on this subject, and as a result of the training, the representatives will be expected to have knowledge within the scope of the regulation and legislation against the relevant actions in case of any security breach. These trainings will be provided at least once a year and externally in case of any updates and changes on the subject. The trainings required to be provided within the scope of the article are regulated in detail, but the training items are not counted with the principle of limited number, and especially the trainings that are required to be provided (see paragraph 7: it is ensured that the necessary trainings are provided in order to provide services to persons with disabilities) are emphasised.

    A pre-application is organised pursuant to Art. 6 on the general principles to be observed with the initiation of the process. Before the video interview, a risk assessment will be carried out on the applicant through a form filled out electronically, and if necessary, the process will be terminated without initiating the video interview. Pursuant to this article, it is also regulated that only personal data belonging to the biometric data category can be used in the category of ‘sensitive personal data’ and that the explicit consent of the person for this will be recorded. The provision is also supported by Article 6 of the LPPD, which regulates that sensitive personal data cannot be processed without explicit consent and that biometric data is one of them.

    Pursuant to the fifth paragraph of the same article, the nature of the video call is ‘… real-time and uninterrupted. It is ensured that the integrity and confidentiality of the audio-visual communication between the customer representative and the person is at a sufficient level. For this purpose, the video call is carried out with end-to-end secure communication.’ Further, image and sound quality, white light requirement, mobile phone number verification and the status of the document are also regulated in detail.

    Within the scope of Article 7 titled ‘Identity document that can be used and its verification’, in summary; it can be said that the nature of the identity document to be used refers to the term ‘chip’, which is the more common use of the term ‘contactless chip’, near field communication is used in this context, the road map to be followed while verifying the identity document and the steps to be followed by the customer representative during this process are regulated in detail. According to this article, remote identification cannot be made with the old identity document, and it is clear that some technological developments in the new identity documents will be utilised. The MRZ (Machine Readable Zone) achieved by using optical character reading methods is an example of these developments.

    Pursuant to Article 8/1 on the verification of the person to be identified, it is regulated that additional measures will be taken to prevent the risks related to fake face technology. When the article is analysed, it is not very clear whether the measures to be taken will only identify the person in terms of ‘liveness’. It is clear that measures will be taken to distinguish whether the other person is present live during the interview or whether visual communication mechanisms such as a video are used. However, in today’s technology, ‘fake face’ is not only done in this way.

    With deepfake technology, artificial intelligence learns the person’s lip movements and facial expressions and creates algorithms to create brand new videos that do not actually exist, although it may seem impossible in the past, it constitutes today’s reality. Deepfake, on which numerous articles have been published in the global press, is seen as one of the biggest threats of the modern world. In addition to being a cheap technology, deepfake is very difficult to detect as there is no hard-data that specifically determines deepfake. In fact, the deepfake phenomenon is very dangerous due to the psychological power of images, sounds and video to create belief. It is possible for deepfakes to commit some violations by spoofing facial biometrics, but it is preventable. Since the deepfake will be treated as a video by an authentication system, if the authentication system is sufficiently robust against video-based attacks, it must determine whether what the camera sees is legitimate or not. To achieve this, the system must have three features: (i) the ability to distinguish between two- and three-dimensional objects, (ii) the ability to verify that what the sensor sees is live using certified, third-party tested human liveness detection, (iii) the ability to match the live three-dimensional image with a pre-recorded three-dimensional ‘face map’ that provides an accurate digital representation of a three-dimensional image.

    Although it is open to debate whether banks can also take measures against such computer software at this stage, the letter and spirit of the regulation covers this possibility in our opinion. However, since the increasing development momentum of technology due to the pandemic conditions will increase the usage areas of such technologies and thus the possibility of violations, it is important that legal regulations are regulated at a pace to keep pace with them.

    Another important issue mentioned in the Regulation is the concept of ‘near field communication’. Translated from Near Field Communication (NFC), near field communication is a short-range and wireless personal communication field technology. In the simplest terms, it is the technology that enables communication between credit card and cash machine. Pursuant to the Regulation, it is regulated that a biometric comparison of the photograph on the contactless chip and the face of the person will be made using near field communication.

    Further, the provision regulated as ‘… In this context, the risks related to phishing, social engineering, movements under pressure due to the coercion of another party and similar fraud methods are taken into consideration.’ mentions that the customer representative who will perform the transaction may also detect various fraud elements such as ‘pressure’ during the video call. In this case, it would not be an incorrect assessment that one of the trainings that customer representatives should receive should be psychological trainings, even though it is not listed under Art. 5.

    Pursuant to Art. 9 on termination of the process in video calls, the termination of the call before the process is completed is regulated. The process may be terminated directly in case of any problem or suspicion arising from issues such as connection, image quality, any inconsistency or uncertainty in the process, document validity, fraud or forgery. Since banks have a high responsibility for taking security measures, the termination of the process is not subject to heavy conditions in direct proportion.

    Article 10 titled ‘Recording and storage of data’ mentions that the entire process will be recorded and stored. The provisions of the relevant legislation regarding information and document retention requirements are reserved. In our opinion, the article in question needs to be regulated in more detail. Since ‘biometric data’, which is within the scope of special categories of personal data, will be kept and stored, it is important in terms of Personal Data Protection Law to clarify what the fate of the data will be and how long it will be stored in case the process is cancelled unilaterally by the customer. Since the BRSA prohibits the transfer of data abroad, the introduction of general, albeit not detailed, provisions on how these data will be stored or which cloud system will be used is one of the elements that should be sought in a long-awaited regulation. However, it can be speculated that the legislator thinks that the legislation in force is sufficient and that there is no need to make a distinction as an extra regulation.

    Although the definition of biometric data, which is in the category of special categories of personal data, is not included in the LPPD, the European General Data Protection Regulation (‘GDPR’), which entered into force on 25.05.2018, defines biometric data as ‘personal data resulting from specific technical processing in relation to physical, physiological or behavioural characteristics, such as facial images or dactyloscopic data, which enable or confirm the unique identification of a natural person’; and the 15th Chamber of the Council of State In the decision of the 15th Chamber of the Council of State numbered 2014/4562, it is stated that biometric methods refer to identity control techniques that are performed through measurable physiological and individual characteristics and can be automatically verified, and it is indisputable that remote identification methods are within this scope, considering that these methods include methods such as fingerprint recognition, palm scanning, hand geometry recognition, iris recognition, face recognition, retina recognition, DNA recognition.

    When the subject of activity of the data processed within the framework of the principle of being related, limited and proportionate to the purpose for which they are processed, which is one of the general principles of Article 4 of the LPPD, is considered in parallel with remote identification, it can be claimed that the processing activity is based on a legitimate basis. However, it is essential for banks and their auditors to act with the awareness that the responsibility and sanctions are heavy in terms of being connected, limited and proportionate to the purpose due to the biometric nature of the data processed within the scope of this activity.

    Due to the sensitive approach of the Personal Data Protection Board to ‘biometric data’, the lack of detailed regulations, especially in terms of storage and preservation measures, may lead to significant violations for banks. The responsibility for remote identification is placed on the bank. In case of objection, the burden of proof will also be on the bank. The BRSA is authorised to restrict and suspend the bank’s remote identification activities upon complaint.

    Establishment of the Contractual Relationship in Electronic Environment

    In order to establish the contractual relationship following the identification, it is stipulated that the declaration of will establishing the contract must be obtained. Although this article regulates how the declaration of will to establish the relevant contract, which is obtained with a wet signature when the person goes to the branch to perform the necessary transactions after remote identification, the most important innovation is the removal of the wet signature requirement. While listing the conditions required for the establishment of a contract that replaces the written form, reference is made to the concept of customer-specific encryption secret key specified in Articles 38/3 and 39/1 of the BSEBY. It is ensured that these codes, which cannot be imitated and derived after the generation of a single-use verification code, are rendered invalid after the transaction is performed.

    Conclusion

    In the light of this information, the most important innovations introduced by the Regulation are as follows

    Implementation of remote identification methods, the implementation of which has already started for certain transactions for its own customers, also for new customers,
    Detailing remote identification processes and introducing additional requirements,
    An insufficient but important first entry arrangement in the measures to be taken against fake face technologies and
    The removal of the wet signature requirement can be summarised as follows.

    Although the article of the Regulation regulating the measures to be taken against fake face technologies has been regulated by taking into account the speed of development of technology, we believe that an issue whose concrete need is quite possible in the near future should be urgently specificised.

    Likewise, the fact that the storage of biometric data, which is in the category of sensitive personal data, is not regulated in detail may lead to serious legal sanctions.

    The fact that detailed provisions are included in the Regulation, especially when regulating the procedures and principles regarding video calls, is an indication that the process is taken seriously. The areas that are missing are those that are already subject to the application of the legislation and that somehow intersect with the application areas of the relevant legislation.

    Therefore, it would not be a wrong interpretation to say that the scope of the Regulation is relatively wide and sufficient to respond to the need for regulation, at least for the time being.