Bank of Israel Circular on E-Banking Amendments

1 Bank of Israel Banking Supervision Department Technology and Innovation Division IT Regulation and Examination Unit Jerusalem, December 29, 2020 Circular no. C-06-2645 Attn: Banking corporations and credit-card companies Re: E-Banking (Proper Conduct of Banking Business Directive no. 367) Introduction

1. In recent years, the Banking Supervision Department has implemented a comprehensive process of identifying and removing regulatory barriers that prevent full access to remote banking services, through reducing the need to arrive at the branch. As part of this, the Banking Supervision Department has regulated, among other things, the following issues: opening an online account for an individual, appointing a portfolio manager remotely, and the option of adding or removing an authorized signatory in an individual account. Until now, remotely opening an account for a corporation has not been allowed, mainly due to the assessment of the risks inherent in opening an account for a legal entity that is not an individual. Against the background of the said process, and against the background of the experience accumulated in Israel’s banking system in recent years with regard to remotely opening an account for individuals, and particularly the use of technologies that allow identification and authentication with reduced risks, the Supervisor of Banks decided as part of this amendment to use the authorization granted to the Supervisor based on Section 7a of the Prohibition on Money Laundering (The Banking Corporations’ Requirements regarding Identification, Reporting, and Record-Keeping for the Prevention of Money Laundering and the Financing of Terrorism) Order, 5761–2001(hereinafter, “the Order”) and to regulate an alternative method of identification and authentication of particulars to the one required in the Order, which will allow the remote opening of an account for a corporation. In accordance with the amendment, an authorized signatory on behalf of a corporation requesting to open an account can be identified and authorized remotely via one of the two ways established in the Directive for identifying an individual requesting to open an account. A banking corporation may continue to receive the corporation’s required documents in accordance with Section 3(a)(3) of the Order in the same manner its has received them until now. However, in addition, in accordance with the amendment, there is an option to receive the following—the corporation’s documents and lawyers’ certifications required in accordance with Section 3(a)(3) of the Order as a certified copy, and a lawyer’s certification regarding the decision of the competent function at the corporation to open an account, and a lawyer’s certification of the authorized signatories to manage the account—online, signed

2 with an electronic signature, as defined in the Electronic Signature Law, 5761- 2001, of the lawyer, which complies with the purposes of the provisions of the Order in this regard. Regulating the principles for opening a corporate account remotely is an important pillar in creating the infrastructure that will enable the banking corporations to offer corporations, not just individuals, the option of receiving banking services without having to arrive at the branch. 2. On October 14, 2020, the Payment Services Law, 5779-2019, went into effect, cancelling the Debit Cards Law, 5746-1986. The references to that law were updated accordingly in the Directive. 3. Until now, the method of identifying and authenticating the customer before being added remotely to e-banking services was established in accordance with the principles appearing in the Directive. The current amendment enables the banking corporation to establish means of identification and authentication in line with its risk management and subject to the policy approved by the board of directors. This amendment will enable the banking corporations to simplify the identification and authentication process for their customers requesting to remotely join e-banking services, and will thus assist in expanding the variety of possible services that can be provided via digital means without the need to arrive physically at the branch. 4. After consultation with the Advisory Committee on Banking Business Affairs, and with the consent of the Governor, I have decided to amend Proper Conduct of Banking Business Directive no. 367 on “E-banking”. Amendments to the Directive Opening an account remotely for a corporation 5. Section 8 of the Directive: Definitions  A definition of “Corporation” was added In accordance with this definition, opening an account remotely will be possible only for corporations that are a company, partnership, cooperative association, Ottoman society, nonprofit organization, or political party listed in Israel.  A definition of “Electronic signature” was added 6. Section 18 of the Directive: Principles of opening an online account

3 The principles for opening an online account for an individual will also apply when opening an online account for a corporation. This includes:  Similar to an individual’s account opened remotely, a corporate account opened remotely is to be without beneficiaries other than the accountholders.  The banking corporation is required to document all the documents submitted to it in accordance with Section 19a of the Directive, all in line with the documentation requirement in Section 7 of the Order. 7. Section 19 of the Directive: Identification and authentication of the online account applicant The ways established in Sections 19(a) and (b) of the Directive, for identification and authentication of an individual requesting to open an online account, shall apply as well to authorized signatories of a corporation. For remote authentication of identification details of a corporation, it was established that as it is possible to receive the incorporation documents of a company, partnership, or nonprofit association signed digitally by the Israeli Corporations Authority, a corporation can fulfill the requirement regarding recording the corporation’s identifying details that appears in Section 3(a)(3)(a) of the Order via such a file. In addition, a banking corporation can also receive online a certified copyas defined in Section 3(b) of the Orderof the incorporation document, provided that the copy is signed with an electronic signature of the lawyer who complies with the purposes of the Order in this regard. 8. Section 19a of the Directive – corporate documents requirements Section 3(a)(3) of the Order details a list of documents that a banking corporation must receive from the corporation when opening an account, either a certified copy or alternatively, in certain cases, through a lawyer’s certification. A banking corporation can continue to receive these documents in the same manner that it has received them to date, and due to the amendment to the Directive via online methods as well, provided that they are signed with an electronic signature of a lawyer who complies with the purposes of the provisions of the Order on this issue. 9. Section 22 of the Directive – Declaration of beneficiary and holder of control in an online account

4 It was established that an authorized signatory of the corporation who requests to open an online account will be required:  To declare any beneficiaries and holders of control via an online form  To declare in his or her voice that there are no beneficiaries in the account other than the account holder and the veracity of the declaration form on holders of control on whom he or she declared. 10. Section 27 of the Directive – Restrictions on an online account It was established that a banking corporation may remove the restrictions imposed on an online account in accordance with the “Online account restrictions” part of the Directive, after completing the full identification of the authorized signatory of the corporation in accordance with the provisions of the Order. 11. Section 39a of the Directive – Adding or removing an account holder or authorized signatory remotely With regard to Subsection (b)(1) - When adding or removing an authorized signatory of a corporation, there is no need to identify and authenticate the corporation. Instead of that, the corporation shall present a certified copy from a lawyer on the corporation’s competent function’s decision or a lawyer’s certification of the authorized signatory for managing the account, if it is signed with an electronic signature that complies with the purposes of the provisions of the Order in this regard. With regard to Subsection (e) - There is no change in the provisions of this section. However, as the definition of “corporation” in Section 8 of the Directive is restrictive compared with its definition in the Order, it is clarified that with regard to this Section, the definition of “corporation” is as it is defined in the Order, as it was until now. 12. Section 44 of the Directive – There is no change in the provisions of this section. However, as the definition of “corporation” in Section 8 of the Directive is restrictive compared with its definition in the Order, it is clarified that with regard to this Section, the definition of “corporation” is as it is defined in the Order, as it was until now. 13. Section 73(b) of the Directive –

5 There is no change in the provisions of this section. However, the word “banking” was added in order to clarify that the intention in this section is to banking corporations as it was previously, and not to a corporation as defined in the Directive or Order. Technology for remote face-to-face identification and authentication 14. Section 27a(a1) – Technology for remote face-to-face identification and authentication A requirement was added, according to which the types of controls detailed in Subsection (a)(2) and in Subsection (a)(4)(a) shall be carried out together without a break in between them. That is, the execution of each of the controls separately is liable to impair the reliability of the customer’s identification and authentication process and thus expose the banking corporation to unnecessary risks, including compliance risks. The Payment Services Law, 5779-2019 15. Section 5 of the Directive - The Debit Cards Law, 5746-1986, was repealed as of October 14, 2020. Accordingly, the reference to the law was cancelled. In addition, in view of the cancellation of the Debit Cards Law, 5746-1986, which established the requirement for a signature on a contract to use a payment card as defined in this Law, the reference to the Electronic Signature Law, 5761-2001, is no longer necessary and accordingly it was cancelled. 16. Section 30 of the Directive – On October 14, 2020, the Payment Services Law, 5779-2019, went into effect, cancelling the Debit Card Law, 5746-1986. The reference to the Law was revised accordingly. The words “and its regulations” were replaced by the words “and the regulations by its authority” so that the section is in line with any future change in regulations. 17. Section 40 of the Directive – The Banking Supervision Department requests to emphasize that the provisions of this section shall apply subject to the provisions of all laws. Accordingly, the remote granting of an authorization to debt an account is an action that requires the identification of the payer through an enhanced identifying detail as established in Section 33(1) of the Payment Services Law, 5779-2019. Remote signing up to e-banking services 18. Section 32 of the Directive – Further to the question and answer regarding Section 31 of the Directive as part of the “Questions and answers on the implementation of Proper Conduct of Banking Business Directive no. 367 on “E-banking”", it was established that, in a case in which a customer signed up to an e-banking agreement that includes future services or channels that the banking corporation will offer, and the service or channel are not offered to the customer at the time of signing, and the risks related to the use or the

6 service or channel are not brought to the customer’s attention, the banking corporation shall fulfill the provisions of this section before the customer’s initial use of the service. It was also established that before receiving the customer’s consent to the agreement, the banking corporation shall note to the customer as part of the requirements of the Section, that the customer may, at any time, notify the banking corporation of his desire to halt the agreement to receive the services. 19. Section 33 of the Directive – In accordance with the amendment, a banking corporation may sign up a customer for e-banking services by using means of identification and authentication in line with the risk assessment and policy that was approved by the board of directors, provided that said use is consistent with the means of identification and authentication established for e-banking activity. Thus, for example, adding a customer to e-banking services that require two-factor authentication for ongoing activity shall not be allowed via one authentication factor. 20. Section 42 of the Directive – Subsection b referring to the activity of “adding a channel or service that is not solely for information” shall be deleted, because based on the amendment, a banking corporation shall be able to add the customer to e-banking service via the use of means of identification and authentication in line with the risk assessment and policy that was approved by the board of directors, and not necessarily via at least two factor authentication as required in the Section. 21. Section 48 of the Directive – Section 42(b) was cancelled as noted above, and the referral from Section 48 was cancelled accordingly, though the requirement for an alert to the customer regarding the addition of the channel or service that is not solely for information remains in place. 22. Appendix A – Signing up remotely for e-banking services – extensions to additional cases – This Appendix was cancelled, as in accordance with the amendment, a banking corporation can sign up a customer to e-banking services through the use of means of identification and authentication in line with the risk assessment and policy that was approved by the board of directors, and not necessarily via at least one authentication factor or the use of identification details and several questions as required in the Appendix. Reports and approvals 23. Section 74 of the Directive - The reporting to the Banking Supervision Department, among other things, of an incident or suspected incident of an e-banking services fraud as well as a significant incident related to e-banking, including significant intrusion attempts and actual intrusions into systems, system downtime, or fraud shall be in accordance with the

7 provisions of Proper Conduct of Banking Business Directive no. 366 on “Reporting of Technological Failures and Cyber Events”. Applicability The amendments to the Directive shall go into effect on their date of publication, except for the amendment to Section 74 that will go into effect when Proper Conduct of Banking Business Directive no. 366 on “Reporting of Technological Failures and Cyber Events” goes into effect. Revised file 23. Update pages for the Proper Conduct of Banking Business Directive file are attached herewith. Following are the provisions of the update: Remove page Insert page (12/19) [8] 367-1-26 (12/20) [9] 367-1-26 Respectfully, Yair Avidan Supervisor of Banks