Companies around the world generally follow a standard approach when verifying their customers’ identities, especially online. In most cases, this involves checking a government-issued photo ID and confirming the person’s identity through biometrics—typically, a selfie.
All major identity verification (IDV) solution providers include these steps in their products, with slight adjustments depending on the client’s industry.
However, there is one more critical IDV component that neither vendors nor organizations can afford to overlook: regulations. In fact, they are required to consider them before choosing and implementing an IDV solution. Alongside global standards, most countries have their own IDV-specific legal requirements.
In this article, we’ll take a closer look at how this applies in Turkey.
Disclaimer! The content provided in this blog post is for informational purposes only and does not constitute legal advice or a legal opinion.
What Turkish ID documents can be used for verification?
Before exploring the regulatory landscape, let’s briefly look at the most common identity documents used by Turkish citizens for verification.
In Turkey, the standard identity documents in circulation include: passports, national identity cards, and driver’s licenses.
The Turkish passport, introduced in its current series in 2022, is a biometric and ICAO-compliant document. This means it follows the international layout and data standards, with content in both Turkish and English, and remains valid for ten years. The passport features an RFID chip that stores personal details and a photo image with facial attributes. While primarily used for international travel, it is especially relevant for Border Control, as well as Aviation, Hospitality, and Insurance companies.
The Turkish national identity card (2016 series) is also biometric and has been mandatory for all citizens from birth. It plays a key role in domestic IDV processes. From 2020, driver’s license information can also be uploaded to the electronic card. One of the most important features is the unique 11-digit ID number, which can be verified by matching it with the barcode on the reverse side or cross-checking with government databases. The card’s chip stores biometric data, including the holder’s photo.
The Turkish driver’s license is primarily intended to confirm that the holder is qualified to drive certain vehicles. The current version, introduced in 2016, was updated to align with EU standards for driver’s licenses. As a result, its design and security features are now very similar to those found in European driver’s licenses.
To sum up: Turkish identity documents include standard personal information and security features, such as a machine-readable zone (MRZ) and barcodes, but also contain biometric data, which often requires special handling and technology for verification.
Now, let’s explore the IDV regulations in Turkey.
General identity information regulation
Since Turkish ID documents contain biometric data, it’s important to start with the general rules around personal data processing. In 2016, Turkey introduced the Personal Data Protection Law, which has since been supplemented by several regulations covering various aspects.
The law is built on a few core principles, mainly that data processing must be relevant, limited, and necessary for the stated purpose. It also defines personal data categories, like general and special (sensitive). For example, biometric data falls under a special category, which means it is generally prohibited from being processed—unless certain legal conditions are met and explicit consent is obtained from the individual.
There are also standard practices involving the verification of Turkish identity cards. In 2020, the Republic of Turkey Identity Card Regulation was published. Turkish ID cards contain a lot of personal information in the visual inspection zone (VIZ), chip, and barcode, including photo, signature, contact details, and biometric data. While some of this information can be accessed by any standard document reader that complies with ISO/IEC 7816, sensitive data like biometrics only can be verified by authorized secure devices called KECs (Kimlik Erişim Cihazı, or Identity Access Device), which are typically available only to government agencies.
There is also a notable regulation around identity numbers found in ID cards. In 2024, the Personal Data Protection Authority (KVKK) published the Guidelines on the Processing of the Republic of Türkiye Identity Numbers (see: Turkish version), highlighting that identity numbers are high-risk data. Organizations are advised to avoid using them for IDV unless absolutely necessary.
For example, using an ID number as a login ID in a mobile application is discouraged—less sensitive data, such as a phone number, should be used instead.
Industry-specific identity verification in Turkey: A regulatory overview
Turkey has a well-structured regulatory framework, giving companies entering this market clear operating conditions. At the same time, it highlights that IDV is tightly regulated across many industries.
In addition to the regulators already mentioned, there are sector-specific authorities responsible for overseeing how IDV laws are implemented within their domains:
The Information and Communication Technologies Authority (ITCA)—For Telecom providers
The Central Bank of the Republic of Turkey, the Banking Regulation and Supervision Agency (BRSA), and the Capital Markets Board—For banks, Fintech companies, payment service providers, e-money institutions, and brokers
The Financial Crimes Investigation Board (MASAK)—Responsible for preventing money laundering and terrorism financing across all sectors
Each regulator has its own set of rules, so what’s allowed in Banking might not meet the requirements in Telecom.
Let’s take a closer look at industry-specific regulations to better understand the differences.
We’ll deliver hand-picked content from Regula’s experts into your inbox
IDV for Telecom and internet providers
The key regulation for Telecom operators in Turkey is the Regulation on Identity Authentication in the Electronic Communications Sector (see: Turkish version). Introduced by the ITCA, the document came into force in 2021.
The regulation outlines several use cases for IDV, including creating electronic subscription contracts, transferring a phone number, changing mobile operators, issuing qualified electronic certificates, and replacing SIM cards.
To confirm a user’s identity, Telecom companies can use a range of methods, such as:
Turkey’s official e-Government system
Remote NFC verification, where the photo stored in the ID card’s chip is compared with a real-time selfie
Video identification, which requires explicit user consent and fully encrypted communication
Traditional in-person verification
IDV for Banking and Fintech
Financial institutions in Turkey, including banks and Fintech companies, must comply with stricter IDV requirements, many of which also apply to IDV software providers, whose solutions must meet specific technical standards.
In 2023, the BRSA issued Circular No. 2023/1 on Authentication and Transaction Security (see: Turkish version). It defines how banks and finance companies must remotely verify customer identities and ensure transaction security.
The two main approved methods are:
Video calls, which must be live, recorded, and uninterrupted
NFC verification, if the user has a Turkish electronic ID card, combined with mandatory face matching
The Circular also obliges banks to use secure software and servers for transaction signing, ensure end-to-end encryption between the user’s device and the bank’s server with communication through a dedicated secure channel, and obtain permission before using third-party IDV providers.
Another important BRSA regulation is the Regulation on Information Systems and Electronic Banking Services of Banks, introduced in 2020. It outlines the general rules for IT system management and IDV in digital banking. One of its key points is the use of two-factor authentication for most online user transactions. These factors must belong to different classes, such as:
Customer-known: Password, PIN, or a security question
Customer-owned: Mobile phone, smart card
Biometric features: Face, fingerprint, or voice
The regulation also sets specific standards for these factors. For instance, security questions must not be based on any data displayed on the customer’s ID document presented during verification.
Additionally, MASAK’s Legislation on Remote Identification was updated in 2023 (see: Turkish version) to cover legal entity verification for entities that weren’t previously considered “customers,” and as a result couldn’t be verified online. Now, business customers can be verified remotely, primarily through NFC verification. If it isn't available, the ID document’s security features, such as holograms and background patterns, must be examined. This implies that document liveness detection is acceptable when dynamic security features in the presented ID are analyzed.
Importantly, IDV providers involved in the remote verification process must be certified under ISO/IEC 27001, a global standard for information security management.
IDV for Crypto
Finally, there are specific IDV requirements for Crypto companies operating in Turkey. The key references include:
The Crypto Asset Service Providers Guide by MASAK, 2021 (see: Turkish version)
The General Communiqué on Financial Crimes Investigation Board by the Ministry of Treasury and Finance, 2021
The Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism by the Central Bank, 2021
The FATF recommendations for Crypto companies, which Turkey follows as a member country
Following an amendment to the Central Bank’s Regulation in 2021, crypto asset service providers were added to the list of obligated parties, similar to banks and financial institutions. This marked the first time that Crypto companies were formally regulated in this context in Turkey.
Crypto businesses headquartered or operating in the country are now required to follow Know Your Customer procedures, which include:
Customer identity verification using ID scans and supporting official documents like utility bills.
Identity and address confirmation via Turkey’s official population database, managed by the General Directorate of Population and Citizenship under the Ministry of Interior Affairs.
Customer risk assessment, which includes evaluating the customer’s income, source of funds, and expected transaction volume and frequency.
Suspicious transaction reporting to MASAK.
Information sharing, including access to records, documents, and if required, passwords and keys, when requested by MASAK.
If a Crypto provider fails to meet these legal obligations, penalties for non-compliance may be imposed.
Key takeaways
Let’s sum up the major IDV requirements in Turkey:
User consent is mandatory for processing identity data, with explicit consent required for special cases like live video interviews.
Biometric identity documents (primarily, Turkish ID cards) and selfies are widely used for verification across different industries.
Some biometrics stored on the chip are typically accessible only via authorized document readers.
Compliant authentication methods include advanced techniques such as two-factor authentication and end-to-end encryption.
Official document databases are frequently used to cross-check and confirm personal details, such as name or address.
Non-compliance with IDV regulations can result in penalties and fines.
Find a compliant IDV solution in Regula
As a developer of 100% in-house identity and biometric verification solutions, Regula is ready to help you implement a robust and compliant IDV system.
Regula Document Reader SDK performs automated authenticity checks for Turkish government-issued documents, including ID liveness detection, remote NFC verification, and server-side verification.
Regula Face SDK enables seamless selfie verification, facial recognition, and face matching with the portrait in the presented ID or third-party databases with liveness checks.
Feel free to contact us for details!
