26 October 2025Yavuz AKBULAK

99READS

Know your customer ruled different country regulations and the situation in Türkiye

In an increasingly global economy, financial institutions are becoming more vulnerable to illicit criminal activities. Know Your Customer (KYC) standards are designed to protect financial institutions against fraud, corruption, money laundering and terrorist financing^[1].

KYC involves several steps:

1. Establishing customer identity.
2. Understanding the nature of customers’ activities and ensuring that the source of funds is legitimate.
3. Assessing money laundering risks associated with customers.

Effective KYC processes are the backbone of any successful compliance and risk management program, and the demands of meeting KYC obligations are intensifying. With anti-money laundering (AML) and KYC compliance growing in importance as more stringent regulatory requirements come into force, banks and corporates are dedicating significant resources and time to KYC compliance processes.

Although banks and regulators have indicated a willingness to move towards standardized KYC requirements and align internal processes, there is still a way to go. A number of initiatives, both global and local, aimed at improving the process on a global scale have come and gone. Overcoming these challenges requires a proactive and collaborative approach to cultivate change.

KYC compliance plays a critical role in real-time, cross-border payments by facilitating higher levels of trust, transparency and collaboration, while also mitigating risk. A community approach is essential to expedite the compliance process and develop new, more collaborative methods to combat financial crime.

Global KYC Regulations and Compliance

KYC regulations and compliance are essential requirements for financial institutions and other businesses that deal with sensitive customer information. These regulations serve as a means to prevent money laundering, terrorist financing, and other illegal activities. By adhering to KYC rules, businesses can maintain a strong reputation and avoid legal troubles.

The primary objective of Know Your Customer (KYC) guidelines is to identify and verify the identity of customers before entering into a business relationship. This process involves collecting and analyzing customer data, such as name, address, date of birth, and identification documents. In today’s global economy, businesses need to be aware of the various KYC regulations and compliance requirements across different countries and jurisdictions.

Global KYC regulations vary across countries and jurisdictions, as different governments have their own set of rules and requirements. However, there are some common elements and principles that form the foundation of KYC regulations worldwide. While specifics may vary, AML/KYC regulatory requirements universally aim to mitigate the risks associated with financial crimes.

These include:

1. Customer Identification and Verification:^[2] Businesses must collect and verify the identity of their customers by obtaining relevant documents, such as passports, driver’s licenses, or national ID cards.
2. Customer Due Diligence (CDD): Businesses must perform a risk assessment of their customers to understand their financial activities and determine the level of risk they pose. This includes collecting information on the purpose of the business relationship, the source of funds, and the customer’s occupation or business activities.
3. Enhanced Due Diligence (EDD): For high-risk customers, businesses need to conduct more in-depth investigations, such as obtaining additional documentation or information on the customer’s background and financial activities.
4. Ongoing Monitoring: Businesses must continuously monitor their customers’ transactions and activities to detect any suspicious behavior or changes in risk profiles.
5. Reporting: Businesses must report any suspicious activities to the relevant authorities, such as the Financial Intelligence Unit (FIU) or the Financial Crimes Enforcement Network^[3] (FinCEN), depending on the jurisdiction.

With the rapidly evolving financial landscape, KYC regulations are continuously being updated to address new risks and challenges. Some key updates and changes in KYC regulations include:

• Increased focus on digital identity verification.
• Expansion of KYC requirements to non-financial institutions.
• Enhanced data privacy and protection requirements.

Know Your Customer compliance involves verifying a client’s identity, suitability, and assessing the risks associated with maintaining a business relationship with them. This process helps prevent money laundering, terrorism financing, and fraud.

While there are common principles and elements in KYC regulations worldwide, there are also specific requirements for each country or jurisdiction. In the context of AML finance, these jurisdiction-specific nuances play a critical role. Some examples of country-specific KYC requirements include:

United States: The USA has stringent KYC requirements under the Bank Secrecy Act (BSA) and the USA PATRIOT Act^[4]. Financial institutions must comply with the Customer Identification Program (CIP) rules, which mandate the collection and verification of customer identification information. Moreover, they must also comply with FinCEN’s Customer Due Diligence (CDD) Rule, which requires the identification and KYC verification of beneficial owners of legal entity customers.

European Union: The EU has introduced the Fifth Anti-Money Laundering Directive (5AMLD) and the Sixth Anti-Money Laundering Directive (6AMLD), which set forth comprehensive KYC requirements for financial institutions and other businesses. These directives mandate the performance of Customer Due Diligence, the identification of beneficial owners, and the establishment of risk-based procedures for ongoing monitoring^[5].

United Kingdom: The UK follows the EU’s AML directives and has its own set of regulations, such as the Money Laundering Regulations (MLR) and the Proceeds of Crime Act^[6] (POCA). These regulations require businesses to conduct CDD, establish risk-based KYC policies and procedures, and maintain records of customer information and transactions. The Anti-Money Laundering Act and the Crime Act bolster these regulations, making them a legal obligation for businesses.

Below are the basic testing principles in other countries:

China: Financial institutions adhere to the Anti-Money Laundering Law, supervised by PBOC, CBRC, CSRC, and CIRC.

Japan: KYC regulations, overseen by the FSA^[7], mandate verifying customer names, addresses, and dates of birth against official documents.

India: Governed by the Prevention of Money Laundering Act^[8], requiring identity verification using documents such as PAN Cards and passports.

Singapore: KYC requirements are enforced by MAS, necessitating the verification of various customer details.

Australia: The Anti-Money Laundering and Counter-Terrorism Financing Act of 2006^[9], regulated by AUSTRAC, demands customer data verification.

New Zealand: Compliance under the AML/CFT Act, supervised by the Reserve Bank and Financial Markets Authority, involves verifying name, date of birth, and addresses.

Individual EU States: Each country develops its KYC laws based on EU directives like 4AMLD, 5AMLD, and 6AMLD, tailored to their specific needs.

France, Germany, Italy, Spain, Switzerland: Distinct regulations exist in each country; regulatory bodies ensure compliance with their respective laws.

Canada: Compliance with the PCMLTFA involves verifying names, dates of birth, addresses, and occupations, overseen by FINTRAC^[10].

Mexico: Regulations enforced by the FIU to combat money laundering and financial crimes.

Argentina: KYC is classified under Law 25.246, overseen by UIF and BCRA, categorizing clients as “permanent” or “not frequent” for differing verification requirements.

Brazil: Compliance under Law 9,613 includes verifying names, nationalities, dates of birth, and official IDs, regulated by COAF and BCB.

Chile: Governed by Law 19.366, verification includes customer details such as names, tax IDs, and occupations, overseen by UAF.

Regulations Regarding Know Your Customer in Türkiye

Money laundering, or simply laundering, is typically defined as the act of integrating illegally acquired profits into the economy by hiding their origins or altering their form to make them appear legitimate. The objective of combating money laundering is to prevent financial systems and institutions from being used as tools in the laundering process, to uphold trust in the system, and to eradicate the root causes by depriving criminals of their illicit gains. On the other hand, financing terrorism and the proliferation of weapons of mass destruction generally involves the transfer of funds or assets derived from both legal and illegal activities to terrorists or terrorist groups, or for the development of nuclear activities or nuclear weapons delivery systems. The aim of combating the financing of terrorism is to cut off the financial resources of terrorist organizations and reduce their chances of success by disrupting the flow of these funds.

In this context, international and domestic law have imposed “obligations” on financial institutions^[11] and certain other professional groups to effectively launder combat money, the financing of terrorism and the proliferation of weapons of mass destruction, as well as to prevent the exploitation of the financial system by criminals. In Turkish law, the second section of Law No. 5549, titled “Obligations and Information Exchange,” regulates the obligations of identification, suspicious transaction reporting, training, internal auditing, control and risk management systems and other measures, continuous information provision, provision of information and documents, preservation and presentation, and electronic notification.

The “know your customer principle” is crucial for protecting obligors from individuals and actions related to money laundering, financing of terrorism and the proliferation of weapons of mass destruction, and for the effective management of their risks. Knowing your customer also forms the basis of all other processes related to the prevention of these crimes.

Article 3/1 of Law No. 5549 Prevention of Laundering Proceeds of Crime requires obligors to identify individuals conducting transactions and those on whose behalf or account transactions are being made. They must also take necessary steps before engaging in any transactions with them or related to intermediary transactions. The “Principles Regarding Customer Identification” are detailed in the third section of the Regulation on Measures to Prevent Laundering Proceeds of Crime and the Financing of Terrorism.

Classes 6 to 14 of the Regulation on Measures outline the procedure for identifying natural persons, legal entities registered in the trade registry, associations and foundations, unions and confederations, political parties, legal entities located abroad, entities that are not legal entities, public institutions, and persons acting on behalf of others.

Obligated parties must implement one or more of the following measures, proportionate to the identified risk, in transactions that require special attention as outlined in Article 18 of the Measures Regulation. This includes taking measures against technological risks as outlined in Article 20 and managing relations with risky countries as outlined in Article 25. These measures also apply to high-risk situations identified within the framework of the risk-based approach. The measures include:

• Obtain more information about the client and regularly update their identity as the beneficial owner.
• Gather additional details about the nature of the business relationship.
• Obtain as much information as possible about the source of the client’s assets and funds.
• Obtain information regarding the purpose of the transaction.
• Ensure approval from a senior official before establishing a business relationship, continuing an existing one, or completing a transaction.
• Monitor the business relationship closely by increasing the number and frequency of controls and identifying transactions that require further scrutiny.
• Request that the initial financial transaction in establishing a permanent business relationship be conducted through another financial institution that adheres to know-your-customer principles.

Measures regarding customer identification include the following:

• Identification of natural person customers.
• Identification of other customers such as legal entities registered in the trade registry, associations and foundations, unions and confederations, political parties, legal entities established abroad, unincorporated organizations, or public institutions.
• Identification of the beneficial owner.
• Monitoring of customer status and transactions.
• Implementation of additional measures.
• Other regulations regarding customer recognition are as follows:

Laws

1. Capital Markets Law No. 6362, Article 42/2.
2. Banking Law No. 5411.
3. Law on Financial Leasing, Factoring, Financing and Saving Financing Companies Law No.6361.
4. Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions.
5. Misdemeanours Law No. 5326.
6. Turkish Criminal Law No. 5237.

Regulations

1. Regulation on the Disuse of Crypto Assets in Payments, Publication Date/No: 16.4.2021 - 31456.
2. Regulation On Oversight of Payment And Securities Settlement Systems, Publication Date/No 28.6.2014 - 29044.
3. Regulation on Operations of Payment and Securities Settlement Systems, Publication Date/No 28.6.2014 - 29044.
4. Regulation of Duties and Working Procedures of Financial Crimes Investigation Experts, Publication Date/No 20/08/1998 - 23439.
5. Regulation on Working Procedures and Principles of the Coordination Board (Amended on 10.06.2014), Publication Date/No 14.12.2007 - 26730.
6. Regulation on Postponement of Transactions Within the Scope of Prevention of Laundering Proceeds of Crime and Financing of Terrorism.
7. Regulation Regarding the Examination of Money Laundering Offence (Amended on 10.06.2014)
8. Regulation on Program of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism (RoC), Publication Date/No 04.08.2007 - 26603.
9. Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (RoM), Publication Date/No 09.01.2008 - 26751.

The Financial Crimes Investigation Board’s and Other Communiqués

1. General Communiqué No. 21
2. General Communiqué No. 13
3. General Communiqué No. 8
4. General Communiqué No. 7
5. General Communiqué No. 5 (Amended on 07.12.2017)

Communiqué on Remote Identification Methods to be Used by Brokerage Firms and Portfolio Management Companies and the Establishment of Contractual Relations in an Electronic Environment, Publication Date/No 08.02.2022 - 31744.

Know Your Customer Obligation

In accordance with the principles of Know Your Customer, obligors must identify the parties involved in transactions and those on whose behalf the transactions are being conducted. They must also take any other necessary steps before facilitating or conducting any transactions.

Platforms, which are organizations engaging in various transactions involving crypto assets such as purchasing and selling, initial sale or distribution, exchanging, transfering, storing, and other specified transactions, are required to enter into a remote framework agreement with their customers. This agreement can be in writing or through remote communication means before initiating any transactions.

For brokerage firms and portfolio management companies, remote identification is conducted through an online video call with communication between the personnel (the individual assigned by the brokerage firm or portfolio management company to oversee the remote identification process) and the individual (the natural person to be identified or the natural person trader) without the requirement of physical presence in the same location. Throughout the remote identification process, only biometric data can be utilized for identification purposes, and the individual’s explicit consent is electronically documented. The video call phase of remote identification is carried out in real time and without any interruption.

During remote identification via video call, an ID document with visually distinguishable security elements, a photograph, and a signature are used under white light. Verifying the identification information on the ID document’s chip using near-field communication ensures that the required match for identification is achieved. This verification is performed by checking:

1. a) The ID document used was issued by the issuing authority and that the information on the document’s contactless chip has not been altered.
2. b) The keys on the ID document’s contactless chip have not been created by duplicating them.

If visual verification and/or verbal communication with the person is not possible as specified in the relevant communiqué due to poor lighting conditions, poor image quality or transmission issues, the video call phase of remote identification is terminated. It is the responsibility of the brokerage firm or portfolio management company to ensure that the solutions used for remote identification are implemented in a way that minimizes the risk of false identification.

Crypto asset service providers must also report suspicious transaction when establishing a continuous business relationship in the following cases:

- In cases requiring suspicious transaction reporting, regardless of the amount.

• When there is doubt about the adequacy and accuracy of previously obtained customer identification information, regardless of the amount.
• When the transaction amount or the total amount of multiple interconnected transactions is fifteen thousand Turkish lira (TL) or more.
• When the transaction amount or the total amount of multiple interconnected transactions in crypto asset transfers they conduct is fifteen thousand TL or more.

The company must verify the accuracy of identity information to identify its customers and any representatives acting on their behalf, as well as determine the true beneficiary of the transaction. This identification process must be completed before establishing a business relationship or conducting any transaction.

The accuracy of identity information is verified through:

• A Turkish ID card, Turkish driver’s license, or passport for Turkish nationals, along with any identification document bearing a Turkish ID number and clearly designated as official identification by special laws.
• A passport, residence permit, or an identification document approved by the Ministry of Treasury and Finance for non-Turkish nationals.

As of March 13, 2025, cryptoasset service providers are now allowed to conduct remote identification when establishing a long-term business relationship with individual customers. This remote identification process must be completed online, without interruptions, visually, and in real time.

The address and identification information collected during the identification process, such as name, surname, date of birth, and Turkish Republic ID number, must be verified through the Ministry of Interior’s General Directorate of Population and Citizenship Affairs’ identity sharing system database. However, cryptoasset service providers are prohibited from conducting remote identification if they are involved in facilitating the purchase, sale, or storage of privacy-based cryptoassets.

Conclusion

Know Your Customer (KYC) regulations and compliance requirements are essential components of a strong anti-money laundering and counter-terrorism financing framework. Businesses need to be aware of the different KYC requirements in various countries and jurisdictions, implement best practices for compliance, and use technology and tools to enhance the efficiency and accuracy of the KYC process. To ensure KYC compliance, businesses should focus on data privacy and protection, take a risk-based approach to KYC compliance, and build strong relationships with regulators and law enforcement agencies.

The Know Your Customer rule is also regulated in Türkiye where crypto asset service providers, especially financial institutions, are obligated to comply. One significant innovation is the remote identification process, with defined technical requirements as follows:

• The process must be conducted online, uninterrupted, visually, and in real time.
• Methods must verify the authenticity of the identity document and the liveness of the person.
• The entire process must be recorded, auditable, and stored.

As a result, video and live interactive verification for remote identity verification has become standard.

It is beneficial for businesses and financial institutions in a responsible position to comply with these obligations.

(The opinions expressed in this article belong to the author and do not bind the institution he/she works for, and cannot be used to establish a relationship with the institution or position of the author. All errors, flaws, deficiencies and shortcomings in the article belong to the author.)