In the current age, we need support, possibly more than ever, from financial institutions to manage business mobility, needs for savings and loans, as well as individuals or companies through corporations, which inevitably affects the financial services sector. The financial services sector must follow and adapt fast to emerging technologies to meet such demands effectively. The recent challenges of customers and institutions in communicating face-to-face have necessitated following and adopting digital developments across the world. In this framework, remote identity verification has emerged as a viable option for such demands, saving time and effort and providing a practical alternative to face-to-face communication.
So, what is remote identity verification, and how is it used? Remote identity verification refers to an online video call between an employee of an authorized institution and a customer, which is made when a physical meeting is impossible to complete transactions specified in the applicable legislation. Institutions that can offer remote identity verification to customers include banks, non-bank financial institutions, brokers, portfolio management companies, and bitcoin trading/exchange service providers.
Remote identity verification was regulated for the first time on 1 April 2021 with the “Regulation on Remote Identity Verification Methods to be Used by Banks, and the Establishment of Contractual Relations in Electronic Environment,” which defined the scope, application, and requirements of remote identity control.
Then, the “Regulation Amending the Regulation on Remote Identity Verification Methods to be Used by Banks, and the Establishment of Contractual Relations in Electronic Environment” was published in the Official Gazette no. 31801 of 06.04.2022 to stipulate principles to be applied for the remote identity verification of non-resident Turkish citizens, regarding deposits and participation systems. This Amending Regulation expanded the scope of remote identity verification.
Regulation of 1 April 2021 prescribes how to apply the remote identity verification procedure, whereas the Amending Regulation of 06.04.2022 expands the application areas for non-resident Turkish citizens. Below, we provide an overview of the legislation and the new requirements of the amending regulation.
i) Legislation in general:
According to the relevant provisions, the remote identity verification procedure is carried out as follows:
- Before initiating the process, the authorized institution should draft the relevant documents, test the process efficiency, report the findings, and if everything is ready, start the procedure.
- Remote identity verification is carried out via online, live and uninterrupted means with end-to-end encrypted communication resembling face-to-face identity verification.
- The video call is made by a customer representative trained in this field, who receives training, including on personal data protection legislation, at least once a year and after each update.
- The identity verification process starts with a person’s application (“the applicant”). At the beginning of the interview, the customer representative obtains the applicant’s explicit consent to protect personal data.
- During the identification process, the customer representative should believe that the information provided by the applicant is reasonable, sufficient, and convincing by way of psychological inquiry and observation.
- If the customer representative is sure that the applicant is telling the truth, they send a one-time password to their mobile phone for identity verification. The process is completed when the applicant enters the password into the interface.
- If the customer representative has doubts about the transaction, they may either end the conversation or apply additional controls and another approval mechanism.
ii) New Regulations, Foreign Persons, and YUVAM Account:
The Amending Regulation of 06.04.2022 allows non-resident natural person citizens who have a T.R. Identity Card or Blue Card, to open a YUVAM account (i.e., Non-Resident Deposit Account) and make transactions via this account. To this end, banks welcome new customers via passports with near-field communication as per ICAO (International Civil Aviation Organization) standards. As a result, remote identity verification mainly benefits non-resident citizens whose physical participation is difficult.
Liabilities and Risks in Remote Identity Verification
The authorized institution generally carries the responsibility of verifying the applicant’s identity by mitigating the relevant risks. The institution should employ techniques to minimize the risks as per the applicable legislation. If the applicant and third parties make a claim, the burden of proof will be on the broker or the portfolio management company. In case of a complaint or notice, the Capital Markets Board of Turkey determines the compliance of a transaction and authorizes the institution to take the necessary measures.
Remote identity verification is a practical and efficient alternative driven by digital transformation; however, it is also a sensitive procedure entailing various risks. Therefore, this process can mitigate or increase the possibility of financial crimes such as forgery, fraud, and money laundering based on whether it is conducted properly. The authorized institutions should take measures under the applicable legislation to avoid such problems.
During identity scanning and verification, along with the video call, the institution should take the necessary security measures given technological, operational, and other risks. These procedures are considered critical by the relevant institutions. Therefore, the institution should know about the assets subject to the transaction, the applicant’s funds and their source, the applicant’s average income, the approximate size of the account opened or opened, and the number of transactions. The institution should also obtain detailed information about the applicant and update their data frequently. It can also increase the frequency of training, controls, and audits required per the applicable legislation. Moreover, the institution should observe applicants’ actions and scrutinize transactions that do not comply with their financial profile and regular activities. It should report risky transactions and take adequate measures, including limiting the amount and number of transactions and suspending transactions in case of reasonable doubt. This whole process should be recorded. The records should be stored by the requirements for keeping transparent and auditable information and documents and personal data protection principles.
Remote identity verification technology signifies a new era, especially in the financial services sector, as an emerging technology offering a practical process that strengthens the relationship between the customer and the institution when applied duly and effectively. Like any digital innovation, we can only benefit from this new system if we follow secure, systematic, and sustainable principles. Considering the sensitivity of the process, we recommend receiving professional legal advice to observe the requirements, controls, and measures outlined in the legislation.
