Bank of Israel Circular on E-Banking Amendments to Proper Conduct of Banking Business Directive

1 Bank of Israel Banking Supervision Department Technology and Innovation Division IT Regulation and Examination Unit November 13, 2018 Circular no. C-06-2578 Attn: Banking corporations and credit card companies Re: E-Banking (Proper Conduct of Banking Business Directive no. 367) Introduction

1. The current amendment makes it possible to remotely add or remove an account holder or authorized signatory in an account, and thus serves as an additional stage in promoting digital channels and expanding the number of services that can be provided via digital means without physically arriving at the branch. In addition, the amendment cancels the restrictions that had been in place until now on an account that was opened online, regarding changing an account holder after it had been opened and regarding account activity of an authorized signatory. It thus takes an additional step toward fully equating terms of an online account with the terms of an account opened at a branch. Amendments to the Directive
2. The banking corporation is to outline the unique risks inherent in the process of opening an account online, for both the banking corporation and its customers, including remotely adding or removing an account holder or authorized signatory. It shall establish waysto reduce the exposure to the banking corporation and to the customer, including stopping the online process and referring the customer to the branch if necessary. (Section 18(g) of the Directive). Explanation A banking corporation shall establish indicators for identifying cases in which there is an enhanced risk when adding or removing an account holder or authorized signatory remotely, among other things due to the concern of abuse of the process or of the customer, and particularly among weaker populations, such as taking advantage of the elderly, cases of violence in families, etc. In such cases the banking corporation shall cease the online process and refer the customer for the continuation of the process to a physical alternative (i.e., a branch of the bank), and document the reasons for doing so.
3. An online account, including an account in which an account holder was added remotely, shall be marked and identified as an online account in the banking corporation's computer systems, to monitor risks and enhance monitoring for a period to be determined by the banking corporation in accordance with a risk assessment. (Section 23 of the Directive).

2 Explanation Every remote activity of adding an account holder to an account requires the marking and identifying of the account as an online account in the banking corporation’s systems in order to monitor risks and conduct enhanced tracking for a period of time that will be set by the banking corporation and in accordance with the risk assessment. To remove doubt, a remote activity of removing an account holder from an account or adding or removing an authorized signatory to an account does not require the marking and identification of the account as an online account. 4. Section 25 of the Directive is cancelled. Section 26 of the Directive is cancelled. A banking corporation may remove the restrictions on an account that was opened online, including those that were imposed on an account in which an account holder was added remotely, as described in this chapter, after completing the full identification of the customer in accordance with the provisions of the Order (Section 27 of the Directive). Explanation Until now, the Directive did not allow the carrying out of the following transactions in an online account:  Changing the composition of account holders (opening an online account with several holders was possible, but only at the time of opening the account)  Activity by an authorized signatory A customer who wanted to execute one of the above transactions had to go to the branch in order for the banking corporation to complete its full identification in accordance with the provisions of the Order. Only after said identification was the customer given the option of changing the composition of accountholders in the account or of appointing an authorized signatory in the account. Beginning from the amendment date, a customer wishing to carry out one of the transactions listed above will be able to do so in an online account as well. Accordingly, Sections 25 and 26 of the Directive were cancelled. However, to remove doubt, the limitations imposed in the Directive on an account opened remotely, will only be removed after completing the full identification of all the holders in accordance with the provisions of the Order. Accordingly, these limitations will apply in the following cases as well:  An account that was opened in a branch and holders were added to it remotely  An online account that switched to not being an online account and subsequently holders were added to it remotely 5. A banking corporation may enable its customers to remotely add or remove an account holder or authorized signatory in accordance with the following rules: (a) Identification and authentication of the identification particulars of each of the following, as relevant: one requesting to add an account holder or authorized signatory (hereinafter, “the adder”), one requesting to remove an account holder or authorized signatory (hereinafter, “the remover”), one requesting to join as an account holder or authorized signatory (hereinafter, “the one being added”), or one requesting to be removed from the account in which he is listed as

3 account holder or authorized signatory (hereinafter, “the one being removed”), shall be in accordance with the guidelines in Sections 19(a)–(b) of this Directive, except for Section 19(b)(2) that applies only to the one being added as account holder or authorized signatory. (b) Notwithstanding the provisions of Subsection (a) above, the identification and authentication of the identification particulars of the one requesting to add or remove an authorized signatory who has qualifications imposed on him that prevent him from carrying out transfers, payments, or other activities to beneficiaries, as well as someone with power of attorney to manage investment portfolios who holds a portfolio management license, can be carried out through at least two authentication factors as well. (c) Identification of the adder or remover and the authentication of their identification particulars, as well as the identification of the one being added or the one being removed and the authentication of their identification particulars do not have to be at the same time, provided that the banking corporation adopted measures to verify that the one who was identified and authenticated as the one being added or the one being removed as noted is in fact the one being referred to in the request to add or remove. (d) All the provisions related to an applicant to open an online account in Chapter C above, shall apply, with the necessary changes and in accordance with all laws, on the adder, remover, the one being added and the one being removed. (e) Adding or removing an account holder remotely shall not be permitted in a corporate account. (f) Regarding one with a power of attorney to manage investment portfolios—it will not be possible to remotely add someone who does not have a portfolio management license. (Section 39a of the Directive) Explanation 6. The amendment makes it possible to execute the following transactions remotely, both in an online account and in an account that was opened at a branch:  For an individual to add or remove an account holder  For an individual and corporation to add or remove an authorized signatory It is emphasized that at this stage, the Directive does not allow remotely adding or removing account holders in a corporate account. 7. Remote identification and authentication of the adder or the remover as well as remote identification and authentication of the one being added or removed, shall be carried out in a manner similar to the identification and authentication of an individual applying to open an online account. That is, the adder, remover, the one being added, or the one being removed, have three options:  Use of video conference technology, in conjunction with an identity card and additional identification document issued by the State of Israel, and to the extent that it is a case in which identification and authentication is needed for one requesting to be added as an account holder or authorized signatory, executing a bank transfer is required as well (See Section 19(b) of Directive 367). Note that similar to the provisions of Section 21 of Circular no. C-06-2507, dated July 21, 2016, the requirement of a bank transfer during the remote identification and authentication process of one being added, whether as an account holder or authorized signatory, can also be fulfilled by a transfer from the banking corporation holding the account to which the customer is being added as an account holder or authorized signatory, to an account under the

4 name of the customer at another banking corporation in Israel, while receiving a report from the customer on the precise amount received.  Use of technology for remote face-to-face identification and authentication in conjunction with an ID card (See Section 19(a) of Directive 367).  In the case of adding or removing an authorized signatory upon whom there are qualifications preventing him from carrying out transfers, payments, and other transactions to beneficiaries, as well as one granted power of attorney to manage investment portfolios who holds a portfolio manager license, the identification of the adder or the remover can also be carried out by another way, of using two authentication factors as defined in the Directive. 8. Section 3(a) of the Banking (Service to Customer) (Full Disclosure and Handing Over of Documents) Rules, 5752-1992 (hereinafter, “the Full Disclosure Rules”) establishes that an agreement such as a power of attorney or other type of authorization needs to be set down in writing while providing the opportunity to the customer to look it over before signing it. In accordance with Section 2(a)(2) of Amendment no. 3 dated February 28, 2018, to the Electronic Signature Law, 5761-2001, (hereinafter, “the Electronic Signature Law”), the signature requirement set in the Full Disclosure Rules can be fulfilled via electronic signature as defined in the Electronic Signature Law, provided that it offers a response to the relevant ends that are at the basis of the signature requirement in those rules. The signature can be carried out via an e-banking channel to which the customer is signed up, and provided that the power of attorney agreement will be executed in writing while giving the customer the opportunity to the customer to look it over before signing it and that documentation of the signature is retained. 9. The Directive does not require that the one being added as an account holder or authorized signatory in the account to be remotely identified and authenticated together with the account’s existing holders requesting to carry out the activity. Therefore, to the extent that such activities are not carried out concurrently with all sides present, the banking corporation shall take appropriate measures in order to verify that the one identified and authenticated as the one requesting to join said account, is in fact the person to whom the account’s existing holder referred. All the above provisions apply as well to the activity of removing someone from the account. 10. All the principles detailed in Chapter C of Directive 367 that apply to one requesting to open an online account, shall apply as well when adding or removing an account holder or authorized signatory to the account, with necessary changes and in accordance with the provisions of all laws. Thus, for example:  Section 2a of the Order establishes that the banking corporation is required to conduct a “Know Your Customer” process for one requesting to be added as an account holder or authorized signatory in an account. In accordance with the requirements of Section 20 of Directive 367, this process is to be carried in a manner similar to the process carried out with regard to other high-risk customers.  Section 2(e) of the Order establishes that the banking corporation is required to ask that one requesting to be added as an account holder sign a declaration of beneficiaries. In accordance with the requirements of Section 22 of Directive 367, in a case of remotely adding an account holder, the signature on the declaration of beneficiaries shall be online, and the banking corporation is to document the one requesting to be added as an account holder declaring in his voice that the account has no beneficiaries other than the account holder. 11. Section 36(a) of Proper Conduct of Banking Business Directive no. 411, on “Management of Anti-Money Laundering and Countering Financing of Terrorism Risks” establishes that “a

5 banking corporation shall carry out reviews to ensure the existence of appropriate and up-to-date information and shall carry out heightened reviews of high-risk customers”. Section 36(b) of Proper Conduct of Banking Business Directive no. 411 establishes that the reviews “shall be carried out at times and upon the occurrence of events that the banking corporation specifies in its procedures, e.g.,…when the way the account is managed changes significantly”. Accordingly, the banking corporation is to establish in its procedures how to handle cases of remote addition or removal of an account holder or authorized signatory, with regard to the said reviews. 12. Transactions defined as high risk, in accordance with the principles approved by the Board of Directors, will be allowed following authentication by at least two authentication factors. A high￾risk transaction shall include, at a minimum: (a) Transfers, payments and transactions over the first limit threshold prescribed by the banking corporation in accordance with Section 60(a) below; (b) Adding a channel and a service that is other than for information only; (c) Cash withdrawals from Automated Teller Machines (ATMs). (d) Change of the contact details or the name of the account holder in accordance with Sections 57–58 below. (e) Adding or removing an authorized signatory upon whom there are qualifications that prevent them from carrying out transfers, payments, or other activities to beneficiaries, in accordance with Section 39a(b) of this Directive. (f) Adding or removing one with power of attorney to manage investment portfolios, who has a portfolio management license, in accordance with Section 39a(b) of this Directive (Section 42 of the Directive). Explanation The amendment defines the activity of adding or removing an authorized signatory upon whom qualifications are imposed that prevent him from carrying out transfers, payments, or other activities to beneficiaries, as well as the activity of adding or removing someone with power of attorney to manage investment portfolios, as high-risk activities that are possible after authentication of the adder/remover via at least two authentication factors. Effective date 13. The changes to this directive shall go into effect with their publication. Update of file 14. Update pages for the Proper Conduct of Banking Business Directive file are attached. Following are the provisions of the update: Remove page Insert page (10/18) [5] 367-1-24 (11/18) [6] 367-1-25 Respectfully, Dr. Hedva Ber Supervisor of Banks