Turkey had paved the way for digital onboarding in finance sector at the middle of this year by making some amendments in the relevant regulations. Following the amendments, the draft Communiqué on Remote Identification methods to be used by Banks (“Draft”) has been opened to public consultation by The Banking Regulation and Supervision Agency on September 21, 2020.
The Draft seems to have been mostly adopted from the Circular 3/2017 (GW) – video identification procedures of Germany’s Federal Financial Supervisory Authority (“BaFin”). In line with this fact, Turkey is to adopt video identification as primary remote identification method during digital onboarding.
The key points of the Draft can be summarized as follows:
What does the Draft aim?
The Draft aims to regulate the remote identification methods that can be used by banks during digital onboarding and identification of the identity of customers. In this respect, FinTechs, i.e. payment and E-money institutions, will not be subject to the Draft. The regulation for FinTechs will be separately prepared and published by the Turkish Central Bank.
General Principles on Remote Identification
The Draft enables banks to identify real persons via video communication to be held between the customer and, the bank employee which has been particularly trained about identification.
Within the scope of the Draft, the process and systems related to identification have to be acknowledged as critical, thus the process has to be initiated, approved and completed by different bank employees in view of the segregation of duties principle mentioned in Regulation on Banking Information Systems and Electronic Banking Services.
Furthermore, the Draft stipulates that the video identification procedure is to be evaluated each year and updated if necessary, in view of the technological advances and experiences gained with the procedure.
The Phases of Identification
In accordance with the Draft, the remote identification process must be performed in real-time and without interruption by taking required technical and organizational measures.
The process does consist of three phases;
- Verification of the identity document,
- Verification of the person to be identified and
- Authentication of the person via SMS one-time password (OTP) to be sent during video transmission.
Technical and organizational requirements
The draft sets down the following technical and organizational requirements:
- Video identification must be performed in real-time and without interruption. The integrity and confidentiality of the video communication between the bank and the person to be identified must be adequately ensured; for this reason, only end-to-end encrypted video chats are permitted.
- The image and sound quality of the communication must be sufficiently adequate to allow unrestricted identification beyond doubt on the basis of all examinations. In particular, these include the examinations of the security features which have been categorized as being visually verifiable in white light as well as the examination carried out to check if the document has been damaged or manipulated.
- During the video process, the bank employee must create photos/screenshots which clearly show the person to be identified as well as the front and reverse of the identity document used by this person for identification purposes and the information held on this document.
Verification of Identity documents
In the Draft, only identity documents with security features that are sufficiently forgery-proof, clearly identifiable and therefore verifiable visually in white light as well as which have machine-readable zone, photo and hand-written signature are accepted as eligible to be used during the video identification process as proof of identity.
In order to ascertain the identity of the person to be identified on the basis of the permitted identification document, the Draft imposes that the bank must first of all ensure that the document used as proof of identity contains the optical security features visually identifiable in white light that a document of this kind typically has.
During visual identification, the person to be identified must tilt his or her document horizontally or vertically in front of the camera and carry out any additional movements as instructed by the bank employee.
Using stills from these movements that are cut out and enlarged, the bank must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
Furthermore, a match for verification of the person from the identity document is to be assumed completed as long as i) the verification criteria of at least four of the security features randomly selected from identity document are met and ii) verification of identity document via NFC is successfully done.
A verification of the validity and plausibility of the data and information contained on the identity document must be performed as part of the video identification procedure.
In this respect, banks are obliged to make following checks at minimum; i) whether the document meets the standards, ii) verify that the identity document used is undamaged, has not been manipulated iii) whether the document is expired or not iv) cross-check of the digits in the machine-readable zone and v) cross-check of the information provided with the information to be obtained from Nüfus ve Vatandaşlık İşleri Genel Müdürlüğü (General Directorate of Civil Registration and Citizenship Affairs) database.
Verification of the person to be identified
In terms of the verification of the person to be identified, the Draft imposes banks to use techniques to detect the liveness of the person to be identified. In addition to that banks must make sure that the photograph and personal information on the identity document used match the person to be identified.
Furthermore, banks must satisfy themselves regarding the plausibility of the information contained on the identity document, the information provided by the person to be identified during the interview as well as the stated intention of this person through psychological questioning and observations made during the identification procedure.
The employees of banks must be trained so that they can determine beyond doubt that the person to be identified is purchasing the respective product from the bank with their own volition, i.e. not due to risk posed by phishing, social engineering, behavior when under pressure by another person, etc.
Transmission of a SMS OTP
During the video transmission, the person to be identified must directly enter the OTP which is valid only for this purpose, centrally generated and delivered to this person by SMS and must return the OTP to the bank via app electronically. The identification procedure is to be deemed completed once the OTP is successfully confirmed by the bank’s system.
Termination of the video identification process
According to the Draft, if the visual verification is not possible – e.g. due to poor light conditions or poor image quality or transmission – and/or if verbal communication with the person to be identified is not possible, the identification process must be aborted. The same applies in case of any other discrepancy or uncertainty. Moreover, the identification process must be cancelled in case of any suspicious act of fraud or forgery.
According to the Draft, the responsibility for maintaining usage of a technological solution reducing the risk to detect wrong person to minimum is at the bank’s responsibility. In addition to this, the bank should monitor the customers which have been remotely identified in a separate risk profile.
In line with the above, the burden of proof lies with the bank in case of an objection in relation to the identification or a transaction.
The Draft is anticipated to be published on January 1, 2021 and enter into force on the same date.