Amendments to MASAK Legislation on Remote Identification

    The amendments regarding remote identification were made in the Financial Crimes Investigation Board (MASAK) legislation by the Communiqué Amending the Communiqué of the Financial Crimes Investigation Board (Serial No: 24) (Communiqué) which was published in the Official Gazette dated 11 August 2023.

    As known, remote identification of legal entities by banks was made feasible recently. Although it was feasible for legal entities to become bank customers through remote identification, this was not yet feasible in terms of the MASAK legislation. In fact, since banks are also obliged to comply with the MASAK legislation, the definition of “customer” in the MASAK General Communiqué No. 19 on remote identification had to be amended to include legal entities.

    With the Communiqué, legal entities were included in the definition of “customer.” Thus, legal entities are added to the list of “persons who can be identified remotely”. The activities of MASAK-obliged entities, especially banks that are able to conclude contracts with legal entities through remote identification methods in their legislation, have also become compliant with MASAK regulations.

    The significant changes in Communiqué are as follows:

    • Under the definitions section, methods for verifying the identity document during remote identity verification were defined as “Near Field Communication” (NFC) and “Security Elements.” It was stipulated that identity verification primarily must be carried out using the identity document and verified through near-field communication. If this method cannot be applied, the security elements present on the identity document will be verified in terms of their form and content.
    • In case of remote identification, the process must be carried out online, uninterrupted, video and real-time. It is also stated that the entire remote identification process must be recorded and stored in a way to includes all steps of the process to ensure that it is auditable. Some changes are also included in the regulation on how remote identification will be performed technically.
    • In the case that the remote identification process is carried out partially or entirely through service procurement, it is obligatory for the service providers to have a TS EN ISO/IEC 27001 Information Security Management System certificate.
    • It is stated that the transactions performed by the customer representative in remote identification can also be performed partially or entirely by online and artificial intelligence-based methods. Details regarding the use of artificial intelligence in the relevant processes were also determined in Communiqué.

    Communiqué entered into force on 11 August 2023. The processes regarding the implementation of the Communiqué are a matter of curiosity for everyone.

    You can reach the full text of the Communiqué here (only available in Turkish).

    This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.