Turkey's Banking Regulation and Supervision Agency (Bankacılık Düzenleme ve Denetleme Kurumu, BDDK) issued its Remote Customer Onboarding Regulation in May 2021, formally enabling banks and electronic money institutions to acquire customers without physical branch presence. The regulation is prescriptive — it sets specific technical, operational, and retention requirements that international institutions evaluating Turkey market entry need to understand. This article explains the framework, compares it to EU EBA Remote Onboarding Guidelines and UK MLR 2017, and translates the requirements for cross-border operators.
Scope
Turkey's BDDK Remote Customer Onboarding Regulation applies to:
- Deposit banks — individual account opening, credit extension, card applications.
- Participation banks — same scope.
- Development and investment banks — limited application.
- Electronic money institutions (EMIs) — under BDDK supervision, within the BDDK remote onboarding framework.
- Payment service providers (PSPs) — for low-balance digital wallet flows with tailored requirements.
Investment firms (brokerages, portfolio managers) operate under the Capital Markets Board (SPK) video ID notice — a parallel but separate framework. See our video KYC and SPK compliance article for the SPK side.
Core Obligations
1. Video Session
The regulation mandates a synchronous, uninterrupted, bidirectional video and audio session between an authorized employee of the institution and the prospective customer. Key requirements:
- Synchronous — recording cannot be asynchronous; both parties must be live and connected at the same time.
- Uninterrupted — if the connection drops, the session must restart from the beginning.
- Quality — video and audio quality must be sufficient to support identification.
WebRTC-based platforms are the de facto standard — low latency, end-to-end encryption, modern browser and mobile support.
2. Document Verification
The regulation requires verification of the document's electronic identification data — practically, this means reading the chip via NFC or verifying the MRZ via OCR with operator visual cross-check. Driver's licenses alone are not acceptable as primary identity documents.
In practice:
- NFC preferred — Turkish ID card (TCKK) chip reading + ICAO 9303 PKD signature validation. See our NFC ID verification guide.
- MRZ fallback — for users without NFC-capable devices or older non-chip ID cards, OCR + MRZ + operator visual document inspection.
The data extracted from the document (name, date of birth) must match the data the customer provides; mismatches trigger rejection.
3. Biometric Verification
The customer's live video stream is matched 1:1 against the document's facial image. Production thresholds typically start at 80+ for automatic pass; lower scores require operator visual confirmation.
Liveness detection is mandatory — both passive ML-based liveness and active challenge-response models are used. Without liveness, the flow is vulnerable to presentation attacks (printed photos, video replays, deepfakes). See our liveness detection explainer.
4. Supplementary Documents
When the customer needs to provide additional documents (income statement, address verification, proof of source of funds), these can be exchanged during the session via screen sharing or camera capture, or post-session via secure portal upload linked to the session record.
5. AML Obligations
Identity verification alone is insufficient — Turkey's Law No. 5549 (Prevention of Money Laundering) and MASAK (the Financial Crimes Investigation Board) require risk profiling of every customer. Minimum components:
- Sanctions screening — OFAC SDN, UN consolidated, EU consolidated, UK OFSI, and local lists.
- PEP screening — politically exposed persons.
- Adverse media — negative news screening.
- Risk scoring — country risk, sector risk, product risk.
See our AML screening guide for the screening architecture.
6. Recordkeeping
The regulation requires retention of the video session, document data, biometric data, and all verification logs for at least 10 years. Retention obligations:
- Integrity — tamper-evidence via hash chains, WORM storage, or digital signatures.
- Accessibility — records must be retrievable during BDDK inspection.
- KVKK compliance — biometric data is special-category personal data under Turkey's KVKK (the GDPR equivalent), requiring explicit consent and access restrictions.
Operator Authorization
The regulation specifies criteria for operators conducting video sessions:
- Employed by the institution (fully-outsourced call center models face heightened scrutiny).
- Trained in AML and remote onboarding procedures.
- Identified in the institution's authorization matrix.
- Training must be refreshed (annual minimum is standard practice).
A typical implementation: the bank's central operations team includes a designated "video onboarding" role; training, authorization, and performance tracking are centralized.
Risk-Based Approach
The regulation permits risk-based application of customer due diligence. The friction difference between a low-balance, low-risk wallet onboarding and a high-balance, high-risk corporate account onboarding follows this logic:
| Customer Profile | Minimum Verification | Operator Session |
|---|---|---|
| Low risk, low balance (e.g. small wallet, young customer) | NFC + liveness + selfie match | Automated flow may suffice (subject to BDDK compliance review) |
| Standard retail customer | NFC + liveness + video session | Required |
| High-risk (PEP, high balance, additional products) | All of the above + supplementary documents | Required + enhanced review |
| Non-resident foreign nationals | Passport NFC + liveness + video session | Required + enhanced risk scoring |
Risk-based segmentation balances regulatory compliance with conversion. Applying the heaviest flow to every applicant typically costs 30-40% of would-be customers.
How Turkey Compares to EU and UK
vs. EU EBA Remote Customer Onboarding Guidelines (October 2023)
The EBA guidelines are principle-based — they describe expected outcomes (risk-based application, robust technology, retention) but don't prescribe specific tools. Turkey's BDDK regulation is more prescriptive: it explicitly requires video sessions (under most risk profiles), NFC or MRZ for document verification, and 10-year retention. The technical architecture an institution builds for BDDK compliance generally also satisfies EBA expectations.
vs. UK MLR 2017 and JMLSG
UK MLR 2017 requires "reliable, independent" verification; JMLSG guidance recognizes video ID as one robust method but doesn't mandate it universally. The FCA expects institutions to demonstrate due diligence on their chosen eIDV providers. Turkey's BDDK rules are more prescriptive about the operator session requirement but converge with JMLSG on the underlying technical components (chip reading, biometrics, liveness, retention).
The practical upshot: an institution deploying a video ID stack designed for Turkey can serve EU and UK customers with relatively minor adjustments — mostly around document coverage (passports + various national IDs vs. TCKK) and retention period interpretation.
Operational Flow
A typical Turkish bank remote onboarding sequence:
- Application start — customer enters Turkish ID number + phone + email via web or mobile.
- OTP verification — phone and email verified.
- NFC ID reading — user scans their TCKK chip with their phone; NFC + signature validation runs.
- Selfie + liveness — user takes selfie; passive/active liveness triggered; 1:1 face match against the chip photo.
- AML screening — sanctions, PEP, adverse media screening runs in parallel.
- Operator queue — if automated flow completes, the verified record reaches an operator.
- Video session — operator conducts 3-5 minute session, identity confirmation + risk profile questions.
- Approval and account activation — operator decides, account is activated, customer is notified.
Typical total duration: 8-12 minutes. Automated flow completes first-time for 85-90% of applicants.
BDDK Inspection Records
To pass BDDK inspection, the institution must produce:
- Video session recordings — 10-year retention with hash-chain integrity.
- NFC reading logs — SOD signature validation detail, PKD version, outcome code.
- Biometric and liveness scores — with model version and threshold.
- AML screening outcomes — sanctions/PEP/adverse media hits and operator dispositions.
- Operator decision logs — operator identity, timestamp, reasoning.
- Operator authorization matrix and training records.
Common Compliance Pitfalls
Pitfall 1: Making NFC optional. "If the user doesn't have NFC, OCR is enough" is risky for higher-risk profiles. NFC should be the preferred path with explicit fallback documentation.
Pitfall 2: Not enforcing video quality. A "low connection, let's continue at 240p" flow can produce recordings that won't withstand inspection. System should auto-check quality.
Pitfall 3: Delegating liveness blindly to the SDK vendor. "Vendor says it's PAD-certified" isn't enough — verify the certification level (PAD Level 1/2/3), check what model was tested, and ensure the production model matches.
Pitfall 4: Fragmenting the audit chain. Video in one system, logs in another, decisions in a third — inspection becomes difficult to defend.
Pitfall 5: Patching GDPR/KVKK compliance late. Biometric data is special-category; explicit consent, access restrictions, and minimization must be designed in from the start.
Frequently Asked Questions
When did the BDDK regulation take effect, and has it been updated since?
The BDDK Remote Customer Onboarding Regulation entered force on 1 May 2021. BDDK has issued additional clarifications since, particularly on EMI balance thresholds and the interaction with crypto asset service provider rules emerging under the KVHS framework. Always check BDDK's latest circulars; the practical regulatory landscape evolves quarter to quarter.
Do KYC SDKs need BDDK approval?
BDDK does not directly approve SDKs; the responsibility for compliance rests with the regulated institution. However, the institution must be able to demonstrate that the SDK meets BDDK's technical requirements — NIST PAD certification, ICAO 9303 PKD support, audit-log retention, and so on. These international standards typically serve as the evidence basis during inspection.
Are non-Turkish nationals eligible for BDDK remote onboarding?
Yes, the regulation extends to foreign nationals but with additional safeguards. Passport NFC reading replaces TCKK reading (ICAO 9303 supports both). Foreign nationals automatically score higher on risk; high-risk-jurisdiction applicants may face mandatory video sessions and enhanced due diligence. Some sanctioned jurisdictions are refused entirely under the institution's risk appetite.
What if the video session connection drops?
The regulation requires uninterrupted sessions. A dropped connection invalidates the partial session; the customer must restart. The audit log should record "session 1 terminated due to connection failure; session 2 completed successfully" — partial records aren't valid evidence but the failure pattern itself is important context for inspection.
How quickly is the account activated after operator approval?
Typically within minutes. If additional risk scoring, AML investigation, or manual review is triggered, activation can take hours to a working day. The customer must be informed of expected timing; no transactions are processed until the account is fully activated.
How Legichain helps
Building an infrastructure compliant with Turkey's BDDK Remote Customer Onboarding Regulation — video session platform, NFC SDK, liveness model, AML screening, operator console, audit logging — typically requires 9-12 months of engineering effort. Legichain Digital KYC and Video KYC delivers these layers as a single integrated stack, designed simultaneously for BDDK rules, EBA Remote Onboarding Guidelines, UK MLR 2017, and SPK video ID requirements. Authorized operator management, queue handling, automated pre-session technical summary, hash-chain WORM retention, and KVKK/GDPR-compliant biometric data handling are built in. Legichain Video KYC provides the operator console for the regulated video session. International institutions evaluating Turkey market entry, and Turkish institutions extending to EU/UK, deploy on the same platform — typically moving from in-house planning to production in 6-10 weeks rather than 9-12 months.