IDV Compliance in Türkiye: A Brief Overview of Requirements and Solutions

Before exploring the regulatory landscape, let’s briefly look at the most common identity documents used by Turkish citizens for verification. 

In Türkiye, the standard identity documents in circulation include: passports, national identity cards, and driver’s licenses.

The Turkish passport, introduced in its current series in 2022, is a biometric and ICAO-compliant document. This means it follows the international layout and data standards, with content in both Turkish and English, and remains valid for ten years. The passport features an RFID chip that stores personal details and a photo image with facial attributes. While primarily used for international travel, it is especially relevant for Border Control, as well as Aviation, Hospitality, and Insurance companies.

The Turkish national identity card (2016 series) is also biometric and has been mandatory for all citizens from birth. It plays a key role in domestic IDV processes. From 2020, driver’s license information can also be uploaded to the electronic card. One of the most important features is the unique 11-digit ID number, which can be verified by matching it with the barcode on the reverse side or cross-checking with government databases. The card’s chip stores biometric data, including the holder’s photo.

The Turkish driver’s license is primarily intended to confirm that the holder is qualified to drive certain vehicles. The current version, introduced in 2016, was updated to align with EU standards for driver’s licenses. As a result, its design and security features are now very similar to those found in European driver’s licenses.

To sum up: Turkish identity documents include standard personal information and security features, such as a machine-readable zone (MRZ) and barcodes, but also contain biometric data, which often requires special handling and technology for verification. 

Now, let’s explore the IDV regulations in Türkiye.

Since Turkish ID documents contain biometric data, it’s important to start with the general rules around personal data processing. In 2016, Türkiye introduced the Personal Data Protection Law, which has since been supplemented by several regulations covering various aspects. 

The law is built on a few core principles, mainly that data processing must be relevant, limited, and necessary for the stated purpose. It also defines personal data categories, like general and special (sensitive). For example, biometric data falls under a special category, which means it is generally prohibited from being processed—unless certain legal conditions are met and explicit consent is obtained from the individual. 

There are also standard practices involving the verification of Turkish identity cards. In 2020, the Republic of Türkiye Identity Card Regulation was published. Turkish ID cards contain a lot of personal information in the visual inspection zone (VIZ), chip, and barcode, including photo, signature, contact details, and biometric data. While some of this information can be accessed by any standard document reader that complies with ISO/IEC 7816, sensitive data like biometrics only can be verified by authorized secure devices called KECs (Kimlik Erişim Cihazı, or Identity Access Device), which are typically available only to government agencies.  

There is also a notable regulation around identity numbers found in ID cards. In 2024, the Personal Data Protection Authority (KVKK) published the Guidelines on the Processing of the Republic of Türkiye Identity Numbers (see: Turkish version), highlighting that identity numbers are high-risk data. Organizations are advised to avoid using them for IDV unless absolutely necessary. 

For example, using an ID number as a login ID in a mobile application is discouraged—less sensitive data, such as a phone number, should be used instead.

Türkiye has a well-structured regulatory framework, giving companies entering this market clear operating conditions. At the same time, it highlights that IDV is tightly regulated across many industries.

In addition to the regulators already mentioned, there are sector-specific authorities responsible for overseeing how IDV laws are implemented within their domains: 

• The Information and Communication Technologies Authority (ITCA)—For Telecom providers

• The Central Bank of the Republic of Türkiye, the Banking Regulation and Supervision Agency (BRSA), and the Capital Markets Board—For banks, Fintech companies, payment service providers, e-money institutions, and brokers

• The Financial Crimes Investigation Board (MASAK)—Responsible for preventing money laundering and terrorism financing across all sectors

Each regulator has its own set of rules, so what’s allowed in Banking might not meet the requirements in Telecom. 

Let’s take a closer look at industry-specific regulations to better understand the differences.

The key regulation for Telecom operators in Türkiye is the Regulation on Identity Authentication in the Electronic Communications Sector (see: Turkish version). Introduced by the ITCA, the document came into force in 2021.

The regulation outlines several use cases for IDV, including creating electronic subscription contracts, transferring a phone number, changing mobile operators, issuing qualified electronic certificates, and replacing SIM cards. 

To confirm a user’s identity, Telecom companies can use a range of methods, such as:

• Türkiye’s official e-Government system

• Remote NFC verification, where the photo stored in the ID card’s chip is compared with a real-time selfie

• Video identification, which requires explicit user consent and fully encrypted communication

• Traditional in-person verification

Financial institutions in Türkiye, including banks and Fintech companies, must comply with stricter IDV requirements, many of which also apply to IDV software providers, whose solutions must meet specific technical standards.

In 2023, the BRSA issued Circular No. 2023/1 on Authentication and Transaction Security (see: Turkish version). It defines how banks and finance companies must remotely verify customer identities and ensure transaction security. 

The two main approved methods are:

• Video calls, which must be live, recorded, and uninterrupted

• NFC verification, if the user has a Turkish electronic ID card, combined with mandatory face matching

The Circular also obliges banks to use secure software and servers for transaction signing, ensure end-to-end encryption between the user’s device and the bank’s server with communication through a dedicated secure channel, and obtain permission before using third-party IDV providers. 

Another important BRSA regulation is the Regulation on Information Systems and Electronic Banking Services of Banks, introduced in 2020. It outlines the general rules for IT system management and IDV in digital banking. One of its key points is the use of two-factor authentication for most online user transactions. These factors must belong to different classes, such as:

• Customer-known: Password, PIN, or a security question

• Customer-owned: Mobile phone, smart card

• Biometric features: Face, fingerprint, or voice

The regulation also sets specific standards for these factors. For instance, security questions must not be based on any data displayed on the customer’s ID document presented during verification.

Additionally, MASAK’s Legislation on Remote Identification was updated in 2023 (see: Turkish version) to cover legal entity verification for entities that weren’t previously considered “customers,” and as a result couldn’t be verified online. Now, business customers can be verified remotely, primarily through NFC verification. If it isn't available, the ID document’s security features, such as holograms and background patterns, must be examined. This implies that document liveness detection is acceptable when dynamic security features in the presented ID are analyzed. 

Importantly, IDV providers involved in the remote verification process must be certified under ISO/IEC 27001, a global standard for information security management.

Finally, there are specific IDV requirements for Crypto companies operating in Türkiye. The key references include:

• The Crypto Asset Service Providers Guide by MASAK, 2021 (see: Turkish version)

• The General Communiqué on Financial Crimes Investigation Board by the Ministry of Treasury and Finance, 2021

• The Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism by the Central Bank, 2021

• The FATF recommendations for Crypto companies, which Türkiye follows as a member country

Following an amendment to the Central Bank’s Regulation in 2021, crypto asset service providers were added to the list of obligated parties, similar to banks and financial institutions. This marked the first time that Crypto companies were formally regulated in this context in Türkiye. 

Crypto businesses headquartered or operating in the country are now required to follow Know Your Customer procedures, which include:

• Customer identity verification using ID scans and supporting official documents like utility bills.

• Identity and address confirmation via Türkiye’s official population database, managed by the General Directorate of Population and Citizenship under the Ministry of Interior Affairs.

• Customer risk assessment, which includes evaluating the customer’s income, source of funds, and expected transaction volume and frequency.

• Suspicious transaction reporting to MASAK.

• Information sharing, including access to records, documents, and if required, passwords and keys, when requested by MASAK.

If a Crypto provider fails to meet these legal obligations, penalties for non-compliance may be imposed.

Let’s sum up the major IDV requirements in Türkiye:

• User consent is mandatory for processing identity data, with explicit consent required for special cases like live video interviews. 

• Biometric identity documents (primarily, Turkish ID cards) and selfies are widely used for verification across different industries. 

• Some biometrics stored on the chip are typically accessible only via authorized document readers.

• Compliant authentication methods include advanced techniques such as two-factor authentication and end-to-end encryption. 

• Official document databases are frequently used to cross-check and confirm personal details, such as name or address.

• Non-compliance with IDV regulations can result in penalties and fines.

As a developer of 100% in-house identity and biometric verification solutions, Regula is ready to help you implement a robust and compliant IDV system. 

• Regula Document Reader SDK performs automated authenticity checks for Turkish government-issued documents, including ID liveness detection, remote NFC verification, and server-side verification.

• Regula Face SDK enables seamless selfie verification, facial recognition, and face matching with the portrait in the presented ID or third-party databases with liveness checks. 

Feel free to contact us for details!