31 Jul, 2021

Regulation on the Applicant's Identity Verification Process in the Electronic Communications Industry

The regulation issued by the Information Technologies and Communications Authority on 26 June 2021 will enter into force on 31/12/2021.

This Regulation, in the electronic communication sector,
• subscription agreement,
• number porting application,
• application for change of operator,
• qualified electronic certificate application,
• registered e-mail application
• SIM change application

It covers the procedures and principles regarding the process to be applied in order to verify the identity of the applicant in case the documents related to the transactions are issued in electronic environment.
Identity verification processes in accordance with the regulation;
a) e-Government Gate,
b) Visual verification by artificial intelligence or authorized means, together with the document with near field communication feature in accordance with the ICAO 9303 standard,
c) Creating PAdES together with TCKK,
ç) Taking the video footage to be specific to the process together with the applicant's identity document in face-to-face channels,
by means of methods.

In authentications made through the e-Government portal; To the applicant who has entered the e-Government Gate by the e-Government Gate; transmitted by the operator; KN, name, surname, type of transaction, service number specific to the transaction and the information that should be included in the transaction document within the scope of the relevant legislation, the verified contact number and e-mail address of the applicant registered on the e-Government portal are displayed, and the approval of the applicant is obtained for the aforementioned information. The information that he/she has verified his/her identity and the verified contact number and e-mail address are forwarded to the operator/service provider.

Video authentication with artificial intelligence or authority

Video authentication is done in real time and without interruption. The operator/service provider takes the necessary measures to ensure the integrity and confidentiality of the audio-visual communication regarding the identity verification process. For this purpose, video verification is carried out with end-to-end secure communication.

Visual identity verification cannot be performed without the explicit consent of the applicant within the scope of the Law on Protection of Personal Data No. 6698. Before the visual identity verification, the obligation to inform is fulfilled by complying with the relevant provisions of the Law No. 6698 and separately from the process of obtaining explicit consent. While obtaining the explicit consent of the applicant, it is clearly stated that the identity verification process can be carried out electronically via the e-Government Gateway or face-to-face channels.

During video authentication, techniques to detect the applicant's viability are used. In order to confirm the presence of the applicant presenting the ID, camera images are taken from different angles in a bright environment where the applicant's face can be seen fully and clearly, with his eyes open. The operator/service provider makes the comparison of the applicant's face in the live image taken with the photograph in the identity document by artificial intelligence method.

It is the responsibility of the operator/service provider to correctly identify the applicant in identity verification processes.

In case of visual authentication, the applicant first declares his contact number or e-mail address. By sending a one-time password or link to this number or e-mail address, it is confirmed that the declared contact information is used.

In case of suspicion about the validity of the documents submitted by the applicant during the video authentication, or if fraudulent or fraudulent attempts are suspected, the video authentication process is terminated. In this context, all necessary measures to prevent phishing and similar fraudulent methods are taken by the operator/service provider.

In cases where it is not possible to make visual verification and/or communicate with the applicant as specified in this Regulation due to poor light conditions, poor image quality or transmission and similar situations, the identity verification process is cancelled.

Authentication in face-to-face transactions

In case the transactions within the scope of this Regulation are carried out electronically in face-to-face channels between the operator/service provider or its representative doing business on behalf of the applicant and the applicant, as an alternative to the methods in Articles 6 and 7, in accordance with the TCKK of the applicant and the procedure specified in Annex-4, Article 9 Identity can be verified by creating PAdES-LTV with PDF within the scope of the first paragraph of the article. As an alternaive; Identity can be verified by taking the video image to be specific to the process together with the applicant's identity document.

Identity can be verified by taking the video image to be specific to the process together with the applicant's identity document.
Identity information, including the photograph on the applicant's identity document, is obtained by the near field communication method.

In face-to-face transactions, identity verification will be possible by creating PAdES-LTV (electronic signature format) with PDF. Alternatively, the identity can be verified by taking the video image to be specific to the process together with the applicant's identity document.

Authorized Verification

The operator/service provider provides the authorized and working environment to verify with various criteria:
• Verification is carried out by an authorized person who has been trained on this subject.
• It is ensured that the officer receives training on the verification process at least once a year and after each update, including the personal data protection legislation.
• It is ensured that the official receives training to decide that the applicant has requested the actions determined in this Regulation voluntarily.
• During the verification process, it is ensured that the authorized person works in separate areas with restricted access, where necessary measures are taken to prevent possible security weaknesses or abuses.
• Necessary training is provided to at least one official in order to serve disabled people.

Within the scope of the regulation, all transactions are recorded and the data obtained are used only for the purposes of the processes of administrative and judicial authorities and the identity verification of the applicant who made the application.

The data recorded and obtained within the scope of the regulation are stored during the storage periods specified in the relevant legislation.

Operator/service provider; should follow the technological developments closely and make necessary updates continuously for cases such as fraud, weaknesses in the identification method.

In all transactions made by the operator/service provider within the scope of this Regulation, the burden of proof lies with the operator/service provider. In case of objection, the burden of proof is on the operator/service provider in case of objection in administrative and judicial processes regarding transactions that create liability and/or criminal liability for applicants or a third party.

Time stamp for electronic documents containing personal data created within the scope of subscription agreements, number porting applications, operator/service provider change applications, qualified electronic certificate applications, registered electronic e-mail applications and SIM change applications made before the effective date of this Regulation. The burden of proof in matters such as the document issuance date rests with the operator/service provider.

For the listed documents, the operator/service provider must provide the identification number information of the transaction document party and the telephone, service or qualified electronic certificate number or registered e-mail with three of the last seven characters masked within 3 months from the date of entry into force of the Regulation, 31 December 2021. It transmits the address information to the mobile electronic communication operators and the information system provided by the e-Government Gateway in the manner determined in the Regulation. This transmission will be notified to the transaction document side via short message, e-mail or e-Government gateway.

Conclusion

As stated in the 3rd paragraph of the 5th article of the regulation:

• Service providers/operators;
• Preservation of identity information,
• Encrypted while transferring for authentication purposes,
• The purpose of the transaction,
• To be protected against unauthorized access or changes to be made in an uncontrolled manner contrary to the principle of segregation of duties,
• Maintaining the confidentiality, security and integrity of transaction records regarding all processes carried out in information systems,

At this point, the service providers/operators should take the necessary security measures by taking into account the technological, operational and similar risks that may well manage the process.

KVKK, ISO 27001, Bilgi ve İletişim Güvenliği Rehberi, ISO 27701, Bilgi Güvenliği, Siber Güvenlik ve Bilgi Teknolojileri konularında destek ve teklif almak için lütfen

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram