Legichain

SPK-Compliant Video ID Verification for Investment Firms

The operational playbook for Turkish brokerage houses and portfolio management companies under SPK Decision 65/1929 of 23 December 2021.

Legichain Team 11 min read 26 May 2026

SPK Decision No. 65/1929 of 23 December 2021 ended the physical-signature requirement for Turkish brokerage houses and portfolio management companies (PYŞ) by formally authorising video-based identity verification. The decision extended to capital markets the remote onboarding capability that BDDK had unlocked for banks earlier the same year. This guide walks through the technical requirements, operational flow design, recording handling and the issues SPK inspectors drill into — with emphasis on what 2026 inspection practice has clarified.

Context

Until 2021 Turkish capital markets firms required physical signatures for new customer onboarding. Pandemic-era pressure from the industry pushed the SPK to act; on 23 December 2021 the board (Decision 65/1929) authorised video ID verification. The decision covers three categories of investment firm:

  • Brokerage houses (broad and narrow-licence brokerage houses),
  • Portfolio management companies (PYŞ),
  • Pension companies — for specified transactions.

The decision sets technical standards for how identity verification is performed; the substantive AML/CFT framework (sanctions/PEP screening, STR, risk scoring) remains under the MASAK regulation. The two frameworks apply jointly.

Technical requirements

The headline technical requirements:

1. Live (synchronous) video session

The session must run in real time; asynchronous (pre-recorded) video is not accepted. The session must include:

  • At least two authorised firm staff plus the customer,
  • Staff identity confirmed as authorised users,
  • Date, time and participant detail logged.

The rationale for the two-staff rule: one staff member runs the session, the second observes for control purposes. In practice the second staff member need not be visibly on-camera throughout — what matters is auditable evidence (log + recording + checklist) that the second person engaged in the verification process.

2. Live document verification

The customer must show a valid identity document (Turkish national ID, e-ID card, or passport) live, and the staff must visually inspect it. The document must be:

  • Within validity,
  • Not damaged,
  • Free of fraud indicators,
  • A face-match to the customer (by live or automated face recognition).

NFC chip reading of the e-ID card is not mandatory under the SPK decision but is strongly recommended as good practice — chip data verification is the single most reliable defence against document fraud. See our digital KYC guide for detail.

3. Liveness detection

Technical proof that the customer is "live" — not a photo or deepfake. The decision does not mandate a specific technology; either active liveness (asking the user to turn their head, smile) or passive liveness (texture analysis, depth sensing) is acceptable.

4. Audio and video quality

The session must have audio and video quality sufficient to:

  • Clearly see the customer's face,
  • Read the document text,
  • Hear the audio (for lip-reading if needed).

Practical standard: video 720p+, audio 16kHz+. Low-quality recordings invite inspection findings of the form "it cannot be determined whether verification was properly performed".

5. Recording and retention

Full video session must be recorded and retained for 8 years (the period set in Article 7 of Law 5549). Recordings must be:

  • In a format with guaranteed integrity (e.g. hashed and signed),
  • Accessible on inspection,
  • Processed in line with the customer's other rights (Turkish data-protection law, KVKK).

Operational flow design

A typical SPK-compliant video ID verification flow:

  1. Pre-onboarding (web/mobile):

    • Customer downloads app / fills the form,
    • Initial data collection: Turkish ID number, name, date of birth,
    • First-pass sanctions/PEP screening.

  2. Document upload + NFC reading (optional):

    • Customer uploads front/back of ID document,
    • NFC chip read if supported — document integrity verified,
    • Selfie + liveness test.

  3. Video session:

    • Customer presses "join session",
    • System assigns at least 2 authorised staff to the session,
    • Staff greet the customer; ask to see the ID document live,
    • Face is matched against the document,
    • Risk profile questions (KYC form),
    • Session approved or rejected.

  4. Post-session:

    • Recording archived (hash + signature),
    • Account opening completed,
    • Customer notification sent,
    • First-line AML monitoring activated.

Rejection scenarios

Sessions can be rejected for:

  • Document not recognised / suspicious,
  • Face match failure,
  • Liveness failure (potential deepfake/photo),
  • Sanctions/PEP hit cannot be cleared,
  • Inconsistent customer-provided information,
  • Suspicious session environment (e.g. customer appearing to be coached off-camera).

Rejected applications still generate records and may require STR filing to MASAK.

What SPK inspectors actually drill into

By 2026 the inspection patterns are clear:

Topic What SPK asks
Two-staff rule Did the second staff member actually participate? Is there log evidence?
Visual quality Can document text be read on recording?
Liveness What active/passive technology, from which supplier?
Rejected applications What was rejected and why? What share?
MASAK integration Were STRs filed for rejected applications where required?
Record retention 8 years, integrity, access controls
Training Did session staff complete dedicated video-ID training?
Staff authorisation What is the authority matrix? Is the eligible-staff list current?

Differences from BDDK remote onboarding

SPK video ID verification is often confused with BDDK remote onboarding. Key differences:

Topic SPK (investment firms) BDDK (banks, financing, etc.)
Instrument SPK Decision 65/1929 of 23.12.2021 Remote Customer Onboarding Regulation (1 May 2021)
Scope Brokerage houses, PYŞ, pension companies (specified transactions) Banks, factoring, financial leasing, financing companies
Two-staff rule Yes (minimum 2) No (one staff member + system sufficient)
NFC requirement No (good practice) No (but preferred)
Liveness Yes Yes
Retention 8 years (Law 5549) 5 years + 8 years for AML/CFT
MASAK framework Applied jointly Applied jointly

See our BDDK remote onboarding guide for the bank-side detail; the SPK regime is a small but consequential variant.

Connection to the digital KYC cluster

The operational pillar for this article is our digital KYC guide — video ID verification is one tier of digital KYC. Our Cluster 2 SPK-specific article goes deeper on the technical implementation.

Frequently asked questions

Does the SPK decision cover only individual customers?

No, the decision covers both individual and legal-entity customers. For legal entities additional documents (trade registry, signature circular, board resolution, beneficial-owner declaration) must be collected through electronic channels before or after the session. The legal entity's authorised representative joins the video session and the verification runs against that representative.

Does the two-staff rule require continuous active participation throughout the session?

The SPK decision does not specify "continuous active participation by both". In practice: one staff member runs the session, the second monitors live or reviews the recording. What matters is auditable evidence that two authorised staff played a role in the verification (log + recording + checklist).

What is a typical rejection rate?

Practical observation across Turkish investment firms: 5-12% rejection rate. Rejection cause distribution: document unreadable (~30%), liveness fail (~25%), face-match fail (~20%), customer dropped the connection (~15%), unresolved sanctions/PEP hit (~10%). Rates above 15% usually signal a process design problem — most often over-tuned liveness thresholds.

Will SPK find me at fault if I do not read the NFC chip?

NFC reading is not mandatory under the SPK decision. But chip reading + integrity verification is the most reliable defence against document fraud. If inspection finds elevated fraud rates or undetected forged documents, SPK can frame the gap as a "good practice not followed". Future SPK guidance is likely to make NFC closer to mandatory.

Is the process different for foreign customers?

For applicants using a foreign passport, MRZ (Machine Readable Zone) reading, passport verification (ICAO PKD checks) and broader PEP/sanctions databases (Worldcheck, Dow Jones, Refinitiv style) are advisable. The SPK decision does not distinguish foreign vs domestic, but enhanced due diligence for customers from high-risk countries is already expected under the MASAK regulation.

How Legichain helps with SPK video ID verification

Legichain's video KYC product implements SPK Decision 65/1929 end-to-end: the two-staff flow, live document verification, liveness detection, and optional NFC chip reading delivered through a single SDK. Recording and 8-year retention are managed in audit-ready format. Our investment-firm onboarding stack integrates with MASAK sanctions/PEP screening and produces STR-ready output for rejected applications.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

turkey-regulation

Turkey Financial Compliance: The AML/KYC Regulatory Guide

Turkey's AML/KYC architecture is fragmented across four overlapping regulators (MASAK, SPK, BDDK, CBRT) and a stack of secondary legislation that keeps shifting. This pillar guide gives international operators and Turkish compliance teams a single reference: which law sits under which authority, reporting deadlines, thresholds, customer onboarding rules and the operational details that consume the most analyst hours in real deployments.

Read article
turkey-regulation

MASAK Obligations for Turkish PSPs and E-Money Institutions

Turkish payment service providers (PSPs) and electronic money institutions (EMIs) sit under dual supervision: CBRT (licensing, prudential) and MASAK (AML/CFT). This BOFU guide covers the operational obligations under Law No. 6493 + Law No. 5549 + the MASAK Regulation — identity verification, transaction monitoring, e-money limits, STR filing and inspection readiness for both Turkish operators and international PSPs entering the market.

Read article
turkey-regulation

MASAK Compliance Guide: Obligations, Reporting, Workflows

Turkey's Financial Crimes Investigation Board (MASAK) supervises every AML/CFT obligation under Law No. 5549. This guide translates the statute into the seven operational workflows compliance teams actually run: STR filing, CDD, sanctions/PEP screening, transaction monitoring, training, internal audit and inspection readiness — with concrete deadlines and thresholds.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales