Due to the rapid developments in technology each and every day and the effects of Covid-19; the digitization process is closely followed in Turkey.
Legal regulations on digitalization draw attention in many sectors, especially banking and telecommunication.
The Regulation on Information Systems of Banks and Electronic Banking Services prepared by the Banking Regulation and Supervision Agency (“BRSA“) was published in the Official Gazette on 15 March 2020. Article 43 of this Regulation, which will enter into force as of 1 January 2021; states that the regulations on remote identification will be implemented by the BRSA.
In this respect, the Draft Communiqué on Remote Identification Methods to be Used by Banks (“Draft Communiqué“) was published on the official website by the BRSA on 21 September 2020 and presented to the public.
Then, the Draft Regulation on the Verification Process of the Applicant’s Identity in the Electronic Communication Sector (“Draft Regulation“), which contains parallel provisions, was published on Information and Communication Technologies Authority’s (“ICTA”) website for the telecommunication sector as per the decision of ICTA numbered 2020 / HR-BTD / 329 and dated 1 December 2020. ICTA requests public opinion about a draft regulation until 7 January 2021.
The purpose of the Draft Regulation is to regulate the procedures and principles regarding the process to be applied in order to verify the identity of the applicant if the documents created for transactions such as subscription contracts in the electronic communications sector, number porting and operator change, and qualified electronic certificate application and registered e-mail application are made electronically.
Two methods for identity verification are adopted in the Draft Regulation are as follows; (i) the application with the authentication through the e-Government portal, or (ii)the conducting an identity verification through image verification methods created with reliable technologies together with the official identity document, which has the feature of near field communication (known as NFC) in accordance with International Civil Aviation (“ICAO”) 9303 standard.
For the applicant to make the identification authentication, the applicant must sign into the e-Government Portal with one of the following methods; (i) secure electronic signature, (ii) the Republic of Turkey identity card, (iii) internet banking or mobile banking, or (iv) with the e-Government password on condition that the single-use password sent to the mobile number (“OTP SMS”), registered to applicant’s ID, which uses the same SIM card or SIM profile and used by the applicant minimum of 90 days and. The term OPT SMS is defined by BRSA in the Draft Communiqué as a single-use password transmitted via the short message service offered by the electronic communications operators; however, there is no definition for it in the Draft Regulation. The time of entry to the system, the IP and port number used, and the information about the login method is transmitted to the operator/service provider for security purposes. Identity verification via the e-Government Portal can be made directly via e-Government or the website of the operator/service provider.
In the Draft Regulation, it is stated that the video identity verification requires the explicit consent of the applicants and if such applicants do not give their explicit consent, they will be directed to the e-Government channel in order to complete their verification process. Before the video authentication, the applicant provides the contact information to the operator/service provider and the operator/service provider confirms the given contact information with an OTP SMS or a single-use link. In addition, Draft Regulation states that screenshots will be taken from different angles in a bright environment where the applicant’s face can be seen fully and clearly, with her eyes open in order to confirm the existence of the applicant. The operator makes a biometric comparison of the face on the screenshots taken with the photo on the identity card. In addition, during video authentication, the person will be asked to read the information that will be specific to the transaction document to be created, including the date and time.
The Draft Regulation will enter into force 3 months later its publication on the Official Gazette and will be executed by the ICTA President.
It is observed that remote ID verification is on the agenda of many countries and in mostly encouraged as part of their efforts to ensure remote access to as many services as possible, especially in the Covid-19 era.
These being the case, local and national authorities worldwide expectedly stepped in to draw a legal framework. Turkey, being one of them, is soon expected to enact the Draft Regulation to contribute to this effort.