Legichain

Video KYC and Turkish SPK Compliance: What Operators Need

How investment firms meet Turkey's SPK video ID verification framework — and why the same architecture maps cleanly to EU and UK video ID requirements.

Legichain Team 11 min read 26 May 2026

When Turkey's Capital Markets Board (Sermaye Piyasası Kurulu, SPK) issued its video ID verification notice in 2021, it formalized a regime that closely tracks EU and UK practice: real-time bidirectional operator sessions, document chip reading, biometric matching, liveness, retention. For international institutions evaluating Turkey market entry, or for any institution designing video ID flows under EU AMLD / EBA guidelines / UK MLR 2017, the SPK framework is a useful concrete reference — it's specific where the EU rules are principle-based. This article walks through SPK's video ID requirements and shows how the architecture maps to the broader European video ID design pattern.

What Is Video ID Verification?

Video ID verification (also called video KYC) is a real-time, bidirectional video and audio session between a regulated firm's authorized operator and a customer being onboarded remotely. The goal is to satisfy customer due diligence — confirming the customer's identity, capturing their risk profile, retaining auditable evidence — without requiring in-person presence.

Two pillars define a robust video ID flow:

  1. Technical verification — chip ID reading, biometric face matching, liveness detection.
  2. Human verification — an authorized operator in a real-time session with the customer.

Both pillars are required under most modern frameworks. Pure-automation flows skip the operator; pure-operator flows skip the technical verification — neither is acceptable for high-risk profiles. See our complete digital KYC guide for the broader technology context.

Scope: Who Falls Under SPK Video ID?

Turkey's SPK granted video ID authority to:

  • Brokerage firms — intermediaries in capital markets instruments.
  • Portfolio management firms — managing individual and institutional portfolios.
  • Investment fund managers — fund founders and management companies.
  • Bank investment divisions — separately authorized investment activities within banks.

Retail bank deposit customers fall under BDDK's Remote Customer Onboarding Regulation — a parallel but separate framework. See our Turkey remote onboarding regulation for the BDDK side.

In the EU, comparable requirements vary: Germany's BaFin VideoIdent procedure is the most prescriptive; many EU jurisdictions take a risk-based approach where video ID is one acceptable method among several. UK MLR 2017 and JMLSG guidance recognize video ID as a robust verification approach for higher-risk profiles.

Technical Requirements

Video and Audio Quality

SPK requires the session to be "uninterrupted, real-time, and bidirectional." In practice:

  • Minimum resolution: 480p as a floor; 720p as standard.
  • Real-time: asynchronous recording isn't acceptable; both parties must be live and connected simultaneously.
  • Audio: two-way, latency under ~300ms.
  • Connection loss: if the connection breaks, the session must restart. A partial session is not a valid record.

WebRTC-based platforms — low latency, end-to-end encryption, modern browser/mobile support — are the de facto standard.

Document Verification

SPK requires verification of the document's electronic identification data. In practice:

  • NFC chip reading — preferred. ICAO 9303 chip read with PKD signature validation provides cryptographic proof of document authenticity. See our NFC ID verification guide.
  • MRZ + operator visual inspection — fallback for users without NFC-capable devices or with non-chip documents.

Driver's licenses alone are not accepted; a chip-bearing national ID or passport is the standard primary document.

Biometric Matching and Liveness

The chip's facial image (DG2) is matched 1:1 to the user's live video stream. Threshold typically 80+ for automatic pass, 60-80 for operator visual confirmation, below 60 for rejection.

Liveness detection is mandatory — either passive (ML-based) or active (challenge-response). Without liveness, the flow is vulnerable to photo and video replay attacks. See our liveness detection explainer.

Retention

SPK requires retention of the full video session (video + audio + screen-share + chat) for at least 10 years. Retention obligations:

  • Integrity: records must be tamper-evident — hash chains, digital signatures, or WORM storage.
  • Accessibility: records must be retrievable during regulatory inspection within reasonable timeframes (typically 5 working days).
  • Data protection: under Turkey's KVKK, biometric data (facial images, templates) is special-category personal data requiring explicit consent and access restrictions. EU institutions face equivalent GDPR Article 9 obligations.

Operator Workflow

Authorization

Operators conducting video ID sessions must meet specific criteria:

  • Training: anti-money laundering and video ID procedures.
  • Employment: employed by or under direct control of the regulated firm (fully-outsourced call center models are problematic).
  • Identification: named in the firm's authorization matrix and notified to the regulator.

Refresher training is typically required annually.

Session Flow

A typical video ID session:

  1. Pre-session automated checks — the user runs NFC + liveness + face matching before the operator session. Results are summarized and presented to the operator.
  2. Operator queue entry — the verified record reaches an available operator.
  3. Session start — operator confirms identity, asks the customer to show the physical document to the camera as cross-check.
  4. Risk profile dialogue — questions about source of funds, occupation, expected activity (AML/KYC standard).
  5. Decision and recording — operator approves or rejects with documented reasoning; the full session is archived.

Typical session length: 3-5 minutes. Peak-hour queue wait: 2-8 minutes. Operator capacity: 8-12 sessions per hour including write-up time.

Records Reviewed in Inspection

SPK (and BDDK, MASAK in their respective domains) audit the following during regulatory inspection:

  • Video session recordings — full audio/video, retained with integrity guarantees.
  • Technical verification logs — NFC outcome including SOD validation details, biometric match score, liveness score, with model versions and thresholds.
  • Operator decision logs — operator identity, timestamp, decision, reasoning.
  • Customer risk profile records — AML screening outcomes, ongoing monitoring triggers.
  • PKD certificate update logs — which PKD version was used to validate the NFC signature on a given date.

Unstructured retention ("videos in one folder, logs in another, decisions in spreadsheets") is a red flag during inspection.

Operational Numbers

Anonymized aggregate data from a typical Turkish brokerage firm:

  • Full flow time (user initiation → approval): 6-9 minutes average.
  • Per-operator hourly session capacity: 8-12 (session + write-up).
  • Automated pre-session success rate (NFC + liveness + face match clean): 85-91%; remainder requires operator manual handling.
  • Operator approval rate: 92-96%; rejection reasons skew toward document invalidity or liveness suspicion.
  • Peak-hour queue length: lunch and 19:00-22:00 evening slots.

Common Compliance Mistakes

Mistake 1: Stitching video, NFC, and storage from different vendors. Audit-chain integrity breaks at the seams. Single-vendor or tightly-integrated stacks are easier to defend in inspection.

Mistake 2: No tamper-evidence on recordings. "MP4 files in S3" isn't enough — a regulator will ask how you can prove a recording wasn't altered post-creation. Hash chains or WORM storage are the practical answers.

Mistake 3: Treating operator training as one-off. Regulations evolve (AMLD updates, SPK clarifications); operator training must keep pace. Annual refresher at minimum.

Mistake 4: Accepting low-quality streams. "Connection is slow, let's continue at 240p" is a compliance failure. System should auto-enforce minimum quality and prompt user retry if not met.

Mistake 5: Treating biometric data as ordinary personal data. Both KVKK in Turkey and GDPR in the EU classify biometric data as special-category. Consent, access restriction, and data-minimization design must be baked in from day one.

Frequently Asked Questions

How does Turkey's SPK video ID compare to Germany's BaFin VideoIdent?

Both frameworks require real-time bidirectional sessions with trained operators, document verification, and recording retention. BaFin VideoIdent is broader — it applies to all financial institutions for any remote customer onboarding above certain thresholds. SPK is narrower — it applies to investment firms (brokerages, portfolio managers, fund managers). The technical architecture is essentially the same; both rely on similar WebRTC + NFC + biometrics + operator console stacks.

Can a single video session verify multiple individuals?

Generally no — each session verifies one applicant. For joint accounts or family accounts, each individual requires their own session. Corporate onboarding follows a different pattern: individual video sessions for authorized representatives plus separate corporate document review.

What happens if the connection drops mid-session?

The session must restart from the beginning. Partial recordings aren't valid evidence. Operators should be trained to document the connection failure in audit logs, so a regulator can see "first session terminated by connection failure, second session completed" rather than a suspicious gap.

Can outsourced call center operators conduct video ID sessions?

The text of most regulations expects operators to be employed by or under direct control of the regulated firm. Fully-outsourced call center models face heightened scrutiny. Most institutions keep video ID operators in-house, outsourcing only the underlying technical platform (WebRTC infrastructure, NFC SDK, recording storage). Specific approval from the regulator is wise before deploying outsourced operator models.

When is video ID rejected and what happens to the user?

Operators reject sessions for document concerns, liveness failures, biometric mismatch, or risk red flags. The customer is informed (typically without disclosing detailed reasoning to avoid tipping off potential fraud), can re-apply after a cooling period (5 working days is common), or is referred to a physical branch. Repeated rejections may also trigger an STR review under AML obligations.

How Legichain helps

Building an SPK-compliant (or EBA/FCA-aligned) video ID stack from scratch — WebRTC platform, NFC SDK, liveness model, operator console, audit logging, hash-chain integrity, GDPR/KVKK-compliant storage — is a 9-12 month engineering effort. Legichain Video KYC provides this stack out of the box, designed simultaneously for Turkey's SPK and BDDK rules, EU AMLD/EBA guidelines, and UK MLR 2017/JMLSG expectations. Operator console handles authorization tracking, queue management, pre-session technical summary, and decision recording. Sessions are stored in WORM-backed storage with hash-chain integrity; full audit packages can be exported for inspection in minutes. The Legichain Digital KYC platform handles the technical verification layers (NFC, liveness, face matching) under the same session. Typical investment firms and banks move from in-house planning to production in 4-6 weeks rather than 6-9 months.

Next Steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

digital-kyc

Turkey's Remote Customer Onboarding Regulation Explained

Turkey's BDDK Remote Customer Onboarding Regulation, effective May 2021, set the framework for banks and EMIs to acquire customers without physical presence. This article explains the regulation, compares it to EU and UK frameworks, and translates it for cross-border institutions evaluating Turkey market entry.

Read article
digital-kyc

How NFC ID Verification Works

NFC chip ID verification is the gold standard for remote identity verification — it's also one of the trickiest layers to implement well. This guide walks through the protocol, from MRZ extraction to ICAO PKD signature validation, and shares real device success-rate data.

Read article
digital-kyc

Digital KYC for Crypto Exchanges: Designing the Onboarding Flow

Crypto exchanges face three KYC challenges banks don't: high-volume onboarding, persistent duplicate-account attacks, and the need to integrate on-chain risk into the identity decision. This guide walks through tiered flow design and the MiCA/UK regulatory framing.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales