The Financial Regulatory Landscape in Turkey is Modernizing Quickly
It's no secret that customers today demand significantly more from their banks and financial markets. For example, banks are expected to provide a fully digital and seamless experience across all channels through which the customer interacts with the bank. In addition, this level of service is expected whether purchasing an item online or taking out a loan.
At the same time, new regulations are placing increased importance on security which, combined with the persistent threat of fraud and cyberattacks, means ensuring customer security must be a top priority in the banking sector.
Breaking Down the New Banking Regulations in Turkey
In November 2019, the amendments to Turkey’s Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 7192) were enacted and published in the Official Gazette (Issue: 30956). The original 2013 law provided the legal framework for payment companies, payment and securities settlement systems, and electronic money companies.
The revised law came into effect on 1 January 2020. It significantly enhances the existing law for open banking within the Republic of Turkey. In addition, the law surprisingly empowers the Central Bank of the Republic of Turkey rather than the Banking Regulation and Supervision Agency to serve as regulator of payment services and open banking service providers. Under the law, open banking and payment service providers (PSPs) must apply to the Central Bank to obtain the authorization by 1 January 2021.
In response, the President of ÖDED, the country’s Payment and Electronic Money Association, Burhan Eliaçık, said:
“This development is a source of great happiness and pride for the payment services sector.”
“With this law, while achieving compliance with international regulations and standards, we will rapidly move towards a payment ecosystem where innovative and low-cost products and services become widespread.”
While Turkey has changed its law and empowered the Central Bank to regulate open banking, it has no plans to develop its own open banking system. Instead, through its close relations with the European Union coupled with the fact that several foreign banks also operate in the EU, Turkey is one of the first countries outside of the EU to adopt the revised Payment Services Directive (PSD2).
ÖDED genuinely embraced the adoption of PSD2. According to Eliaçık, “Applications that enable users to query and transfer their balance will come into our lives and this will ensure compliance with the EU’s Payment Services Directive 2 regulation which the sector eagerly looked forward to, and open banking applications will be developed within the framework of the procedures and principles set by the Central Bank of Turkey.”
To coincide with the effective date of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the open banking provisions of PSD2 also took effect on 1 January 2020.
New Regulation in Force: 1 July 2020
Most recently, on 15 March 2020 Turkey’s Banking Regulation and Supervision Agency published the Regulation on Information Systems of Banks and Electronic Banking Services in the Official Gazette (Issue: 31069). The regulation will enter into force on 1 July 2020 and significantly impacts banks, auditing firms, technology firms offering outsourced services to banks, and companies offering “open banking” solutions.
The regulation addresses:
- Establishment and management of information systems of banks
- Information security of banks
- Electronic banking services
Due to the impact on open banking, it is worth highlighting specific articles. Each channel (Internet, mobile, telephone banking) is subjected to detailed regulations in terms of authentication and transaction security.
Article 34 mandates that banks’ staff and customers use two-factor authentication (2FA) for customer account access and transactions. The regulation includes an example of using the Turkish Identity Card with the card’s PIN or biometric data or the use of the electronic signature.
The regulation addresses widely reported concerns regarding the security issues associated with SMS-OTP. Banks are permitted to send a one-time password (OTP) or verification code via SMS in the initial setup, activation, and reactivation stages of the mobile banking application. However, banks cannot send an OTP or verification code via SMS to customers who have installed and activated the mobile banking application, to verify any transactions during the login or the session and use it as an authentication element.
Article 34 also addresses concerns regarding mobile application security. The regulation requires that any software or mobile application offered by the bank to its customers for use in electronic banking services can be verified as the relevant bank. Banks must ensure that any software or mobile app does not contain code that would endanger customer security and to provide the necessary patches and updates to the customer to resolve vulnerabilities. While the regulation does not specifically state that mobile apps must undergo a mobile application shielding process to protect against malware, it is an industry best practice.
Article 36 requires the bank to implement transaction tracking mechanisms to detect and prevent unusual or fraudulent transactions within the scope of electronic banking services.
Should fraudulent attempts at transactions occur, the banks must be able to track and report on:
- Known fraud method(s) used
- A producible audit trail able to prove “the amount of each transaction performed and whether the customer shows an unusual payment, funds transfer, or behavior pattern according to these amounts, using the location information”
- Any signs that malware may have infected the authentication session
Should a fraud attempt be detected, the bank must alert the customer across multiple channels, such as during a login to the bank’s mobile app, telephone, or text message.
Article 41 addresses secure communication when using open banking services. The communication between the customer or the party acting on behalf of the customer and the bank must be in the form of end-to-end secure communication, provided that the bank implements additional compensatory controls and additional restrictions on resources to which the customer can contact.
Article 43 addresses remote identification and trust to the third party. This permits a bank to use remote identification methods to determine the identity of the customer or the person acting on behalf of the customer without prejudice to the existing Law on Prevention of Laundering Crime Revenues or, through open banking services, from another bank that has already performed the identity proofing event.
Further, the regulation requires banks to detect and prevent fraud in electronic banking services with tracking mechanisms. Customers using electronic banking services provided by a bank must be explicitly presented the terms and risks associated with the e-banking services.
The regulation also provides authentication and transaction security provisions. These provisions are related to online banking, mobile banking, telephone banking, open banking services, and ATM banking.
In-country Cloud Hosting Requirement
In many countries, financial institutions are leveraging the security, redundancy, and financial benefits of cloud data storage. The use of cloud computing services by outsourcing is included. However, the regulation does require third-party software or cloud services providers to host their systems and data in Turkey. Outsourced services related to primary systems also qualify as primary systems and must be located in Turkish territory.
What’s Next for Banking Regulations in Turkey?
The timing of the regulation is closely tied with the release of the Financial Action Task Force’s Digital Identity Guidance. The regulation permits banks to use remote identification methods to digitally onboard new customers (i.e., “non face-to-face” account opening) to determine the identity of the client.
It is highly likely that Financial Crimes Investigation Board (Mali Suçları Araştırma Kurulu) (MASAK) of the Ministry of Treasury and Finance will update its regulations as they pertain to Know Your Customer (KYC), anti-money laundering (AML), and counter-terrorist financing.
The roll-out of PSD2 and enforcement of the Regulation on Information Systems of Banks and Electronic Banking Services will put Turkey’s financial system in the spotlight. While banks will reap rewards in terms of efficiency and cost savings, the Turkish people may be the biggest winners of all.