The Remote Customer Onboarding Regulation issued by the Banking Regulation and Supervision Agency (BDDK) came into force on 1 May 2021 and moved Turkish banking past the physical-branch onboarding model. The regulation allows banks and three classes of non-bank financial institution (financial leasing, factoring, financing companies) to open new customer relationships without a branch visit through a combination of video sessions, biometric liveness detection and electronic reading of the identity document (NFC preferred). This guide covers the operational design of BDDK remote onboarding flows, the technical standards, and the inspection patterns 2026 has made clear.
Context
The regulation accelerated under COVID-19 pressure, but its substance had been long awaited. Pre-2021, opening a new account with a Turkish bank meant a branch visit — a structural barrier to the neobank model. The regulation covers:
- Banks — deposit, participation, development and investment,
- Factoring companies,
- Financial leasing companies,
- Financing companies.
Insurance companies, payment service providers and capital markets firms are out of scope — they fall under different regulators (SEDDK, CBRT and SPK respectively). This boundary is often confused.
Technical standards
1. Video session
The session must:
- Run in real time (not asynchronous),
- Be conducted between a bank customer representative and the customer,
- Be logged (date, time, participant detail),
- Be recorded in full.
Unlike the SPK regime, BDDK does not require two staff members; one authorised bank staff is sufficient. Internal procedures may add a supervisor second-line review if the bank wishes.
2. Electronic verification of the identity document
The regulation requires identity documents to be electronically verified — not just shown to the camera. For the Turkish e-ID card, this means NFC chip reading in practice. Accepted documents:
- Turkish e-ID card (NFC chip — preferred),
- Turkish national ID card (older, non-NFC; accepted with additional controls),
- Turkish passport (NFC chip),
- Foreign passport (NFC + MRZ + ICAO PKD verification).
NFC reading:
- Verifies document integrity (chip signature),
- Authenticates the data on the document,
- Detects fraud at the physical-copy level.
Onboarding without NFC is technically possible but opens the bank to "insufficient diligence" findings on inspection.
3. Biometric liveness detection
Technical proof that the customer is "live" — not a photo, video or deepfake. Active (eye blink, head turn) or passive (texture, depth) methods are acceptable. The gold standard is to compare the chip's facial image against the selfie:
Customer selfie → Face recognition match → Match score
↓
NFC chip facial image ← Official photo read from Turkish e-ID
This combination largely closes the document-fraud + not-the-customer attack surface.
4. Recording and retention
The full onboarding process (uploaded documents, session recording, logs, biometric capture) is recorded and retained for 5 years under BDDK's general banking record retention rule. AML/CFT records must be retained for 8 years under Law 5549 Article 7. Practical rule: retain everything for 8 years — the longer period binds.
5. Fall-back to face-to-face verification
If suspicion arises at any point (suspicious document, liveness failure, inconsistent customer behaviour), the bank invokes the face-to-face fallback. The customer is invited to the nearest branch; in-person verification is performed.
Onboarding flow design
A typical BDDK-compliant remote onboarding flow:
Application:
- Mobile app download,
- Application via Turkish ID number + mobile number + email,
- SMS verification,
- Policy consents (data protection, contract).
Document scan + NFC:
- Front/back photo of ID document,
- NFC chip read (using the phone's NFC reader),
- Data extraction (MRZ + chip),
- Document integrity verification.
Selfie + liveness:
- Selfie capture,
- Liveness check (active: blink, head turn; or passive),
- Face match (selfie ↔ chip photo + extracted document photo).
Risk assessment:
- First-pass sanctions/PEP screening,
- KYC risk profile questions (occupation, income, purpose),
- Risk score computation.
Video session:
- Customer joins the queue or schedules,
- Bank representative greets,
- Quick verification (additional questions in risky scenarios),
- Contract acceptance,
- Session ends.
Account activation:
- Account opened,
- Card production (if physical),
- Email + SMS notification,
- AML monitoring activated.
Rejection scenarios
- Document not recognised / NFC unreadable / chip signature invalid,
- Face match failure,
- Liveness failure,
- Unresolved sanctions/PEP hit,
- Inconsistent data,
- Suspicious behaviour in the session.
Records on rejected applications are retained for 8 years; STR filed to MASAK where required.
What BDDK inspectors drill into
By 2026 the BDDK inspection focus is clear:
| Topic | What BDDK asks |
|---|---|
| NFC read rate | What share of applications were accepted without NFC? Why? |
| Rejection rate | Causes, percentages? |
| Liveness performance | Spoofing test results, FAR/FRR rates |
| Session quality | Recording-quality scores, accessibility |
| Training | Records for staff conducting sessions |
| Escalation | Share of cases redirected to branches + outcomes |
| System integration | Onboarding system integration with core banking + AML |
| Data protection | Processing, storage, deletion of biometric data |
Comparison with SPK video ID verification
| Topic | BDDK (banks, etc.) | SPK (investment firms) |
|---|---|---|
| In force | 1 May 2021 | 23 December 2021 |
| Scope | Banks, factoring, leasing, financing | Brokerage, PYŞ, pension |
| Two-staff rule | No (1 staff + system) | Yes (minimum 2) |
| NFC requirement | Effectively expected | Not mandated |
| Liveness | Required | Required |
| Retention | 5 + 8 (AML) | 8 (Law 5549) |
| Authority | BDDK | SPK |
| AML framework | MASAK (parallel) | MASAK (parallel) |
See our SPK video ID verification guide for the investment-firm side.
Connection to the digital KYC cluster
This article is the BDDK leg of Cluster 5; for the technical depth see our Cluster 2 remote onboarding regulation article and the digital KYC guide. The BDDK regime is built on a single technical stack (NFC + liveness + video); the design of that stack lives in the digital KYC pillar.
A practical example
Consider a mid-to-large Turkish private bank running 800-1,200 new mobile onboarding applications per day. Typical metrics:
- NFC read success rate: 85-92% (varies with phone NFC support and ID card generation),
- Selfie + liveness pass rate: 88-93%,
- Sanctions/PEP hit rate: 1.5-3% (90%+ of hits are false positives),
- Session rejection rate: 6-10%,
- Completion rate (application → account open): 72-82%,
- Average completion time: 8-15 minutes.
These shift with internal performance, customer segment and technical stack. Completion below 80% usually points to liveness mis-calibration or session-queue issues.
Frequently asked questions
Does the regulation cover insurance companies?
No. The BDDK regulation applies only to BDDK-supervised entities (banks, factoring, financial leasing, financing). Insurers fall under SEDDK; remote onboarding for the insurance sector follows separate regulations and substrate.
Can I accept ID documents without an NFC chip?
The older Turkish national ID has no NFC chip and can only be verified visually. The BDDK regulation does not categorically prohibit the older document but it requires additional controls (e.g. additional documents, face-to-face fallback) to compensate for the missing chip-integrity check. By 2026 most banks effectively require the e-ID card or a chipped passport.
How long should the video session run?
The regulation does not set a length. In practice 5-15 minute sessions are standard. Very short sessions (under 2 minutes) invite "insufficient verification" findings; very long sessions kill operational throughput and customer drop-off. A risk-graded duration (low risk: ~5 min; high risk: 15+ min) is good design practice.
Can foreign nationals be onboarded remotely?
Yes, with additional documents (residence permit, tax ID) and expanded screening (international PEP lists, foreign sanctions databases). Customers from high-risk countries may default to face-to-face verification. Enhanced due diligence (EDD) is mandatory for FATF grey/black-listed countries.
Is consent enough for KVKK biometric data processing?
Turkish data protection law (KVKK) Article 6 treats biometric data as sensitive personal data. Processing requires explicit consent OR another lawful basis (e.g. AML/KYC legal obligation). In practice banks rely on both: explicit consent (for onboarding) and AML legal obligation (for retention). Even if consent is withdrawn the AML retention obligation requires the data to be kept for 8 years.
How Legichain helps with BDDK remote onboarding
Legichain's digital KYC product delivers a complete BDDK-compliant flow: NFC chip reading (Turkish e-ID + international passports), active/passive liveness detection, video session via the video KYC component, MASAK sanctions/PEP screening, and audit-ready 8-year retention. Our solution for banks integrates with core banking systems on a 14-day timeline — versus the 3-6 month internal builds the sector typically runs.
Next steps
- Turkey AML/KYC pillar guide — cluster hub.
- SPK video ID verification — investment-firm comparison.
- Digital KYC guide — the technical architecture.