February 2022 – Capital Markets Board of Turkey (“CMB”) recently published two regulations on remote identification and the establishment of contractual relations in the electronic environment: the Communiqué on remote identification methods to be used by intermediary institutions and portfolio management companies and the establishment of contractual relations in the electronic media III-42.1 (“Communicated III-42.1”), and the Communiqué amending the Communiqué on documentation and registration systems for investment services and activities and ancillary services (“Communicated III-45.1.b”).
These two regulations make it possible to establish relations between intermediary institutions and asset management companies and their clients either in writing or by using remote communication tools. Thus, contracts can be concluded by verifying the identity of the client on information or electronic communication media within the framework determined by CMB. By authorizing such means, Communiqué III-42.1 introduced a new mode of concluding contracts in addition to the written form, which was the default mode set by law. In addition, the CMB has also introduced various changes through Communiqué III-45.1.b in order to catch up with new developments in this area and meet emerging needs in practice.
Both regulations enter into force one month after their publication and together introduce a new method of electronic identification and conclusion of distance contracts. The CMB has also introduced an identity verification application for activities to be carried out in the electronic environment.
Below, we highlight the main changes introduced by the two releases.
1) Press Release III-42.1
Rules regarding system security have been determined
Among the things that intermediary institutions and asset management companies must do to ensure the security of the system are the following:
- review the remote identification procedure put in place at least twice a year;
- comply with the provisions of Law No. 5549 on the prevention of laundering of the proceeds of crime and Law No. 6698 on the protection of personal data;
- ensure that only biometric data of sensitive personal data is used for the remote identification of individuals and that their explicit consent is recorded in the electronic environment.
Obligation to obtain customer application forms before introducing video calls
According to Communiqué III-42.1, customer requests during the remote identification process must be received via an electronically completed form prior to the video call. Thus, Communiqué III-42.1 also lists the types of information about the data subject to be included in the form received (surname and first name, address, signature sample, etc.).
The minimum conditions for carrying out remote identification and establishing the contract have been determined
Following the remote identification, verbal approval must be obtained from the person concerned as to their acceptance to become a client of an intermediary institution or a portfolio management company.
As a result:
- the intermediary institution or the portfolio management company must transmit all the terms of the contract in the electronic environment to the client in such a way that the client can read them;
- the contract must be signed with a secret encryption key specific to the client specified in the Document Registration Notice and be sent to the intermediary institution or the portfolio management company;
- the intermediary institution or the portfolio management company must ensure that the content of the contract communicated to the client and the content of the contract signed by the client are identical.
All types of contracts, such as sureties, endorsements or assignments, which govern relations between intermediary institutions or portfolio management companies and clients and which are concluded in compliance with the above conditions, are deemed to be in writing.
A liability regime on possible risks that may arise from the remote identification process has been established
In the event of a dispute regarding any transaction creating an obligation with respect to related persons or a third party, the burden of proof lies with the intermediary institution or the asset management company. Similarly, it is also the responsibility of the latter to ensure that the solutions used for remote identification are conducted in such a way as to minimize the risk of identification error.
2) Communiqué III-45.1.b
Framework agreements concluded with customers can be executed via electronic media
Contracts to be concluded electronically must be executed in accordance with communiqué III-42.1 and a copy thereof or access to this agreement on electronic media must be provided to the customer.
Identity authentication app has been introduced
Intermediate institutions must implement the identity authentication mechanism (“Authentication”) for their investment services and activities provided to their clients. The Authentication to be used must be composed of at least two independent components (ie components that the client knows or owns, or that have a biometric characteristic).
With regard to authentication, a verification code must be provided to the customer. This verification code:
- will be generated as disposable;
- will be signed with an encrypted secret key assigned to the client;
- must not provide access to the information included in the authentication request;
- must allow the use of multiple verification codes across the existing code.
The intermediary institution must also perform several functions to prevent any unsuccessful authentication attempts.
The delivery time for account statements requested from customers has been reduced
The delivery time for account statements to customers has been reduced from seven working days to five working days.
The retention period for electronic records has changed
While the retention period for voice recordings was set at three years in the relevant article, the mandatory retention period for all documents, including voice recordings and those obtained during the remote identification process, has been set. at 10 years by Communiqué III-45.1.b.