Bank of Israel Circular C-06-2588: Amendments to Proper Conduct of Banking Business Directive no. 367

1 Bank of Israel Banking Supervision Department Technology and Innovation Division IT Regulation and Examination Unit May 7, 2019 Circular no. C-06-2588 Attn: Banking corporations and credit card companies Re: E-Banking (Proper Conduct of Banking Business Directive no. 367) Introduction

1. Until now, carrying out transfers, payments and other activities to beneficiaries via various e￾banking channels within the first threshold limit for transfers has only been possible after customer identification and authentication using at least one authentication factor as defined in the Directive. The current amendment removes the obligation to use at least one authentication factor within the first threshold limit for transfers, and allows a banking corporation to establish other means of identification and authentication in accordance with its risk management. This amendment will enable banking corporations to simplify the process of identification and authentication of customers who want to carry out activities remotely and thus will help to expand the number of services that can be provided via digital means without physically arriving at the branch. In addition, the amendment expands the definition of “e-banking services” in the Directive to include a fax. This means that all the provisions of the Directive, including Chapter D on “Identification and Authentication” and Chapter F, “E-banking Controls” apply to the range of banking services provided via fax. Including a fax in the scope of the Directive will require the banking corporations to refresh their risk assessment with regard to the use of faxes, and will lead to closing the regulatory gap created in the past between this channel and other e-banking channels that it allows.
2. After consultation with the Advisory Committee on Banking Business Affairs, and with the consent of the Governor, I have amended Proper Conduct of Banking Business Directive no. 367 (hereinafter, “the Directive”). Amendments to the Directive
3. Applying the Directive to faxes The words “or use a fax machine” were deleted from the introduction to the Directive (Section 5 of the Directive). The fax channel was added to the definitions of “e-banking services” (Section 8 of the Directive).

2 Explanation Until now, “fax” was excluded from the definition of “e-banking services” and accordingly, the provisions of the Directive did not apply to banking services provided via fax. The amendment applies the various sections of the Directive to banking services provided via fax as well. Accordingly, the Directive’s requirements in Sections 9–17 apply, among others, including reference to fax within the framework of managing e-banking risks. This includes carrying out risk assessments (the risk assessment is to refer to, among other things, the following aspects: type of customer, sensitivity and confidentiality of the information, the possibility of encrypting the information, and the frequency of sending the information and its scope) and accordingly establishing the types of information and activities that can be transferred and executed using it, while integrating appropriate controls, including controls for identification and authentication of customers who want to execute banking activities via it, as required in the Directive. 4. Updating the means of identification and authentication required in the first threshold limit for transfers “A banking corporation shall set limits on amounts of transfers, payments and other transactions to beneficiaries, as follows: (a) A maximum amount, within which personal means of identification and authentication as established by the banking corporation in accordance with the risk assessment and policy approved by its board as noted in Section 40 above, shall be required; (b) A maximum amount, which—between the maximum amount in Section (a) above and that amount—shall require the use of two factor authentication; (c) Beyond the maximum amount in Section (b) above, the use of technology that combines identification and authentication of the user, secrecy and data integrity and prevention of denial shall be required.” (Section 60 of the Directive) Explanation Until now, the use of at least one authentication factor was required for the remote execution of transactions, payments, and other activities to beneficiaries at amounts within the first threshold limit for transfers. The amendment enables a banking corporation to determine for such activities as well the means of identification and authentication, in a manner derived from its risk assessment, and that is in line with its policy as ratified by the board of directors. Thus, additional options for the use of digital channels become available, making a customer’s communication with the bank easier. There is no change in the guidelines regarding means of identification and authentication required for amounts above the limit noted in Section 60(a) of the Directive. 5. The “Know Your Customer” process when opening an account for a minor “In the process of opening an account for a minor, the banking corporation is to verify that before the account is opened, the minor shall have the opportunity to receive explanations and responses to questions he or she may have with regard to this process from a representative of the banking corporation, through a remote face to face or telephone interaction in real time. During the course of the process of opening an account for the minor, the banking corporation shall provide a face

3 to face explanation to the minor on the manner of managing the account, with an emphasis on the unique characteristics of a minor’s account.” (Section 18(d) (1) of the Directive) Explanation The procedure of opening an account for a minor will be able to be carried out even without remote face to face interaction in real time, provided that before the account is opened, the banking corporation shall provide the minor with the opportunity to receive explanations and responses to questions he or she may have with regard to this process from a representative of the banking corporation, through a remote face to face or telephone interaction in real time. 6. The “Know Your Customer” process Section 20—cancelled Explanation Since the publication of Proper Conduct of Banking Business Directive no. 367, there have been several amendments to Proper Conduct of Banking Business Directive no. 411 on “Management of Anti-Money Laundering and Countering Financing of Terrorism Risks” related to opening an account online. The amendments included, among other things, the definition of “online account activity” as a risk factor with regard to classifying customers’ risk level when carrying out a “Know Your Customer” process (Section 28(p)). In addition, in Section 23 of Proper Conduct of Banking Business Directive no. 367, there is already a guideline to for enhanced monitoring of activity after remote opening of an account (which is one of the steps that are to be taken when a customer is identified as high risk in accordance with Proper Conduct of Banking Business Directive no. 411). In view of the above, Section 20 is cancelled. 7. Limitations on an online account Section 24—Cancelled. Explanation As an additional step toward fully equating the terms of opening an account online with the terms of opening an account at a branch, the limitations and controls established regarding checks in an online account were deleted. To remove any doubt, the provisions of this amendment do not remove any of the requirements of Proper Conduct of Banking Business Directive no. 431 on “Checkbooks” with regard to issuing checks in an online account, including the banking corporation’s obligation to manage its risks and the customer’s risks in this regard. Effective date and transitional provisions 8. The changes to this Directive shall go into effect with their publication, except the amendments regarding a fax (Sections 5, 8, and 60 of the Directive), which will go into effect on January 1, 2020. However, a banking corporation may act in accordance with these sections at an earlier date. 9. See the transitional provisions regarding faxes in Section 77 of the Directive.

4 It is clarified that with regard to the transitional provisions in Section 77 of the Directive, an agreement to receive information and execute transactions via fax can be part of another agreement between the customer and the banking corporation, such as: an agreement to open an account as defined in The Prohibition on Money Laundering (The Banking Corporations’ Requirements regarding Identification, Reporting and Record-Keeping for the Prevention of Money Laundering and the Financing of Terrorism) Order, 5761–2001, an agreement for general terms of contract, or an issuance agreement. Update of file 10. Update pages for the Proper Conduct of Banking Business Directive file are attached. Following are the provisions of the update: Remove page Insert page (11/18) [6] 367-1-25 (05/19) [7] 367-1-26 Respectfully, Dr. Hedva Ber Supervisor of Banks