Remote Identification

WHILE TECHNOLOGY MAKE OUR WORK EASIER, IT CAN INCREASE OUR RESPONSIBILITIES.

In establishing a continuous business relationship with the customer, remote identification facilitates the identification processes on the one hand, and on the other hand, increases the responsibilities of the obligors in terms of suspicious transaction detection.

In the 6th and 7th paragraphs of Article 4 of the MASAK Communiqué No. 19, which includes regulations regarding remote identification;

“Information received during remote identification,

All information and documents for confirmation and records in any medium are kept in a way that allows them to be provided to the competent authorities upon request.

“In remote identification, the process is carried out online, uninterrupted, visually and in real time. The entire remote identification process is recorded and stored in a way that includes all steps of the process and ensures that it is auditable.”

The arrangement has been made.

The scope of obliged parties who will benefit from remote identification has been expanded with the MASAK Communiqué No. 25 published on 4.11.2023. In addition, additional regulations have been made with the MASAK Communiqué No. 27 published on 25.12.2024.

Accordingly, those who will benefit from remote identification are;

Banks,

Brokerage firms and portfolio management companies,

Financial leasing companies,

Factoring companies,

Financing and savings financing companies,

Payment and electronic money institutions

Crypto Asset Service Providers

Remote identification of real persons

During the remote identification process, measures are taken to verify the person to be identified and the identity document. In this context, methods are used to determine the accuracy of the identity document and the liveliness of the person, and to ensure that the photograph and personal information on the identity document match the person.

In this context, as a minimum;

a) The identity document is verified using near field communication. If it cannot be verified in this way, at least four of the security elements in the identity document are verified in terms of form and content.

b) A biometric comparison is made between the person’s face and the photograph on the contactless chip, if it can be obtained from the identity document using near field communication, or with the photograph on the identity document, if not, and additional measures are taken to prevent risks related to fake face technology.

c) A single-use password specific to the identification process is sent to the person through electronic communication operators. If the transmitted password is approved in the system, the person’s mobile phone number is verified.

Increased Measures Are Applied to Remote Identification.

In Article 4, Clause 5 of the MASAK Communiqué No. 19, it is stated that “In establishing a permanent business relationship through remote identification, customer and service risks and the measures in Articles 18 and 20 of the Regulation are taken into consideration. In this context, enhanced measures are applied with a risk-based approach regarding the established business relationship.”

The enhanced measures to be taken for remote identification are regulated in Article 6 of the same circular. Accordingly, those responsible must fulfill the following:

With the customer’s application, a risk assessment is made with the KYC documents obtained about the person to ensure the creation and evaluation of the customer profile. Depending on the situation, the process is terminated without starting a video call.

In addition to the information that must be obtained about the customer within the scope of Articles 6 and 7 of the Regulation on Measures , information is obtained regarding the purpose and nature of the business relationship (purpose of opening an account, requested products, etc.), the source of the assets and funds belonging to the customer, average income information, the estimated monthly transaction volume of the account to be opened, and the number of transactions.

If the subsequent transaction within the scope of the permanent business relationship established by remote identification is carried out face to face with the obligor, identification is carried out and a signature sample is taken in accordance with the procedure in Articles 6 and 7 of the Measures Regulation.

Financial institutions and certain non-financial businesses and professions shall apply one or more or all of the following measures in proportion to the risk identified within the framework of the risk-based approach in transactions related to remote identification:

a) Obtaining additional information about the client and updating the identity information of the client and the actual beneficiary more frequently.

b) To require the approval of a higher-level official to enter into a business relationship, continue an existing business relationship or carry out a transaction.

c) Keeping the business relationship under close surveillance by increasing the number and frequency of controls applied and determining the types of transactions that require additional control.

d) Requiring that the first financial transaction in establishing a permanent business relationship be made through another financial institution where the principles of KYC are applied.

d) To closely monitor transactions that are not suitable for the customer’s financial profile and activities or are not related to its activities.

e) To take appropriate and effective measures, including setting limits on amounts and number of transactions.

f) In the remote identification process, in addition to the methods to be used if the identity document cannot be verified using near field communication, the first financial transaction must be made from the person’s account in another financial institution where the principles of know-your-customer are applied before establishing a permanent business relationship. Because, within the framework of the principle of Trust in Third Parties, which is the fundamental principle of AML/CFT compliance legislation, know-your-customer procedures previously performed by another obligor are relied upon.

Remote identification by crypto asset service providers

With the temporary Article 1 added to the Communiqué No. 19 on 25.12.2024, it was regulated that until the legislation regarding the main field of activity of the Obligor allows the establishment of contracts with methods that will allow the verification of the identity of the customer without coming face to face, crypto asset service providers will carry out remote identification in the establishment of a permanent business relationship with their real person customers within the scope of the methods and general principles regulated in the second part of the Communiqué No. 19 and the measures determined in the fourth part, and will verify the address and identity information received within the scope of identification, such as name, surname, date of birth and Turkish Republic identity number, through the identity sharing system database of the General Directorate of Population and Citizenship Affairs of the Ministry of Interior.

On the other hand, with the regulation that came into force on 25.12.2004;

It is regulated that crypto asset service providers who mediate the purchase, sale or storage of privacy-based crypto assets cannot perform remote identification.

In addition, it has been made mandatory that deposits and withdrawals to the crypto asset service provider, including the first financial transaction in the establishment of a continuous business relationship, are made through a bank or credit card account compatible with the customer’s identity information.

Administrative Fines

If the obliged parties fail to comply with the matters specified in the Communiqué regarding remote identification and customer recognition, the penalties stipulated in Law No. 5549 will be applied.

As is known, in recent years, fines for breach of obligations have increased both in lump sum and have been significantly increased by being subject to a lower limit of at least 5% of the transaction amount. For financial liable parties, administrative fines in 2025 will be no less than 5% of the transaction amount; 453,160 TL for KYC violations and 755,400 TL for suspicious transaction reporting violations.

In a situation where financial crimes, sanctions, administrative fines, freezing of assets and blocking of bank accounts are increasing and MASAK’s efforts in the fight against financial crimes are accelerating, liable parties must now analyze the transactions they mediate with more data on a risk basis. Technological opportunities such as remote identification enable taxpayers to have more data. While these opportunities make their jobs easier, they also increase their responsibilities such as detecting suspicious transactions through more data.