Turkey’s Information and Communication Technologies Authority (“ICTA”) has recently issued the Regulation on Verification Process of the Applicant’s Identity in the Electronic Communication Sector (“Regulation”) which will be applicable as of December 31, 2021.
Accordingly, the Regulation aims to determine the procedures and principles regarding the process to be applied to verify the identity of the applicant provided that the documents issued for transactions such as subscription contracts in the electronic communications sector, number porting and operator change, and qualified electronic certificate application and registered e-mail application, are made electronically. It is also stated in the Regulation that the use of local resources to the maximum extent will be considered in the implementation of this Regulation.
Objectives of the Identity Verification Process
The Regulation defines the “operator” as the company that provides electronic communication services and/or provides electronic communication network and operates its infrastructure within the framework of authorization. Additionally, according to the Regulation, “service provider” is referred as electronic certificate service provider or registered e-mail service provider. Further, electronic communication service is defined as the provision of some, or all of the activities included in the definition of electronic communication as a service by virtue of the Regulation.
With the Regulation, it is established that the operator/service provider can present the transactions within the scope of this Regulation to the applicant through several platforms including face-to-face channels, its own website, mobile applications in a secure manner in electronic environment.
As per the Regulation, certain methods are regulated for identity verification as follows; (i) Application via e-Government portal, (ii) Visual verification by artificial intelligence or authorized means, together with a document with near field communication (“NFC”) feature in accordance with the International Civil Aviation Organization (“ICAO”) standard numbered 9303, (iii) Creating an electronic signature with the Republic of Turkey Identity Card, and (iv) Obtaining a video image to be specific to the transaction together with the applicant's identity document in face-to-face channels.
Identity Verification via e-Government Portal
The Regulation stipulates that the applicant can verify his/her identity by confirming the transaction he/she intends to pursue after logging into the e-Government portal. Further, according to the Regulation, if there is a difference in the information on the e-Government portal and the operator/service provider, the e-Government portal records will be taken as the basis.
Visual Identity Verification by Artificial Intelligence or a Representative
According to the Regulation, visual identity verification is conducted in real time and without interruption. It is regulated that the operator/service provider will take the necessary measures to ensure the integrity and confidentiality of the audio-visual communication regarding the identity verification process. Within the scope of the Regulation, the visual identity verification will be carried out with end-to-end secure communication.
In addition, the Regulation establishes that visual identity verification cannot be performed without the explicit consent of the applicant and that the obligation to inform must be fulfilled separately from the process of obtaining explicit consent before the visual identity verification is performed. As per the Regulation, while obtaining the explicit consent of the applicant, identity verification can be carried out electronically via e-Government portal or face-to-face channels.
In the Regulation, it is stated that the verification of the validity and authenticity of the data and information contained in the identity document presented by the applicant will be carried out as part of the visual identity verification process. In addition, it is regulated those techniques to detect the applicant's liveliness will be used during visual identity verification.
As per the Regulation, during the visual identity verification process, if there is a suspicion about the validity of the documents submitted by the applicant, forgery or fraud, the visual identity verification process will be terminated.
Further, the Regulation also stipulates that the identity verification process will be canceled in cases where it is not possible to make visual identity verification and/or communicate with the applicant as specified in this Regulation, or if there is any other inconsistency or uncertainty in the process.
Identity Verification in Face-to-Face Transactions
As per the Regulation, as an alternative to the e-Government portal and other channels introduced by this Regulation, the applicant can be verified by creating PAdES long-term verification with the Republic of Turkey Identity Card provided that the transactions covered by this Regulation are carried out electronically in face-to-face channels between the operator/service provider or its representative conducting business on behalf and the applicant.
Regardless, it is established in the Regulation that the applicant's identity can be verified by taking the video image to be specific to the process together with the identity document. In addition, it is regulated that in case of face-to-face identity verification, the contact number or e-mail address declared by the applicant must be sent to a single-use password or link to confirm that the declared contact information has been used.
Measures Taken Against Security Issues
With the Regulation, it is stipulated that operators and service providers have obligations to protect, preserve and securely store the data they process. In this regard, the Regulation stipulates that operators and service providers shall mask and encrypt the identity verification information of applicants.
Furthermore, in the Regulation, it is stated that for the transactions within the scope of this Regulation, the operator/service provider cannot obtain the biometric data of individuals electronically by using an electronic pen or a similar method. In addition, with the Regulation, it is regulated that the operator/service provider must follow the technological developments closely and make the necessary updates for cases such as fraud, fraudulent activities, and weaknesses in the identification method.
Finally, as per this Regulation, if the obligations established are not met, administrative fines regarding different amounts will be imposed in accordance with the relevant provisions.
Ezgi Ceren Aydoğmuş, Esra Temur