On 11 August 2023, the Communiqué Amending the Financial Crimes Investigation Board General Communique (“Communiqué”) was published by the Ministry of Treasury and Finance on the Official Gazette numbered 32276.
The Financial Crimes Investigation Board General Communique regulates the procedures and principles regarding the remote identification of natural persons and natural person merchants in banking transactions. However, with the Communiqué, this scope was expanded and new regulations regarding the procedures and principles came into force.
With the Communiqué the definition “legal entities registered in the trade registry” was added to the definition of customers that could be identified remotely, in addition to natural persons and natural person merchants.
The Communiqué also added the following regulations:
Remote identification shall be completed before a continuing business relationship is established.
Remote identification shall be conducted online, continuously, in video, and in real-time. The entire remote identification process shall be recorded and stored in a way that includes all steps of the process and ensures that it is auditable.
If the remote identification process is carried out partially or completely through service procurement, the service providers must have a TS EN ISO/IEC 27001 Information Security Management System certificate.
For artificial intelligence-based applications in remote identification:
In remote identification, the customer representative’s transactions can also be made with artificial intelligence-based methods, fully or partially, with the condition of online and real-time recording. Necessary measures shall be taken to ensure the integrity and confidentiality of visual and audio communication regarding the identification process. For this purpose, video verification is carried out with end-to-end secure communication, and in any case, video identification is completed without interruption. The obligor shall check that the remotely identified person is a real person and verify the applicant is the owner of the submitted identity by comparing the photo and images on the ID card.
In cases where an artificial intelligence application is used to verify the remotely identified person's identity or where the online real-time video call is made entirely with an artificial intelligence-based application without a customer representative, the Turkish Standards Institute report showing that the artificial intelligence algorithm’s false approval rate is less than one in ten million, shall be obtained. There is no need to obtain a Turkish Standards Institute report if the artificial intelligence algorithm is received from an organization abroad and the said organization has an internationally valid certificate.
The Communiqué also brought new methods and obligations regarding the identification of natural persons and merchants:
While identification is carried out remotely, legally required information and written statement shall be obtained from natural persons and merchants via the procedure and method used for remote identification.
During the remote identification process, measures shall be taken to verify the person and identity document of the person. It shall be ensured that the photo and personal information on the identity document match the person.
The identity document shall be verified using near-field communication. If it cannot be verified by this method, the security elements in the identity document shall be verified in terms of form and content.
The biometric comparison of the person's face and the identity document photo shall be made and additional measures shall be taken to prevent the risks of fake face technology.
A one-time password specific to the identification process shall be sent to the person via electronic communication operators.
The general principles for legal entities, which are included in the remote identification for the first time with the Communiqué, are as follows:
The legal entity’s title, trade registry number, tax identification number, field of activity, full address, telephone number, fax number, and e-mail address and the legal entity’s authorized representative’s name, surname, place and date of birth, nationality, information on the type and number of identity document and signature sample, and additionally for Turkish citizens, mother’s, father’s name and Turkish ID number shall be obtained via the procedure and method used for remote identification.
The legal entity's information shall be verified through the Central Registry Registration System (MERSIS) and the Turkish Trade Registry Gazette, and the tax identification number shall be verified through the Revenue Administration’s database.
The representative authority of the person shall be confirmed by matching the information received with the updated information obtained by querying on MERSIS or the Turkish Trade Registry Gazette.
If there is more than one person authorized to jointly represent the legal entity, it is possible to identify these people in the same session or at different times.
In case the person authorized to represent the legal entity is also a customer of the obligor, they can make a request through the internet branch or mobile application, to establish a permanent business relationship with the legal entity that they represent.
Necessary measures shall be taken for the recognition of the real beneficiary.
Lastly, in addition to the methods to be used in the remote identification process in case the identity document cannot be verified using near-field communication, the Communiqué also regulates that the first financial transaction before establishing a permanent business relationship must be made from the account of the person in another financial institution where the principles of customer recognition are applied.
With this Communique, legal entities registered in the trade registry are included in the scope of the procedures and principles regarding remote identification, which were previously applied for only natural persons and natural person merchants. After this amendment, it is expected that the business and banking transactions of companies registered in the trade registry, especially joint stock and limited companies, will become easier.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş