A New Know Your Customer (KYC) Method Based On New Generation Smart ID Cards of Republic of Turkey (TCKK) and Customer Biometrics Qorus Banking Innovation Awards 2021

KYC (sometimes known as Know Your Client) is the mandatory process of identifying and verifying the identity of the client. It is a significant element in the fight against financial crime and money laundering and customer identification is the most critical aspect as it involves all the necessary actions to assess and monitor risks. Electronic Know Your Customer (eKYC) is a process, wherein the customer's identity and address are verified electronically. eKYC also refers to the capture of information from IDs (OCR mode), the extraction of digital data from government-issued smart IDs (with a chip) with a physical presence or online verification. The new electronic ID card promises to provide a universal, secure authentication scheme for all, or at least nearly all, public and private sector services using one reliable method. New Generation Smart ID Cards of Republic of Turkey (TCKK) was first issued on March 2016 to enable the electronic identity and electronic services for the citizens. Existing T.C. ID Cards have begun to be replaced with new TCKK since 02.01.2017 and the process will be completed till 2023. According to information received from the Republic of Turkey Population citizenship, more than 50% of Turkey's population have got their new identity cards. The new identity cards contain visual (Rainbow Print, Guilloche Image, Microtext text etc.) and digital (Biometric Image, Fingerprint, PIN, Certificate etc.) security factors. These features have not been used in many of the sectors as it is too early yet for an ecosystem of eID-enabled services to emerge and stabilize. With this project, Vakıfbank aims to be a pioneer of digital identity in banking process by using TCKK features in customer authentication and verification steps. There are three technology enablers of this innovative project; - New Generation Smart ID Cards of Republic of Turkey (TCKK) - NFC enabled devices - and facial biometrics TCKK includes personal and biometric information which allows authentication process to be enhanced with visual and electronic security elements of the highest EU standards. Citizens currently have the opportunity to identify themselves in electronic services based on authentication factors available on TCKK. One of the most critical authentication factor avaliable on TCKK is verification of the authentication certificate. It ensures that the ID is issued by the authorized institution and the ID card is valid. It is a significant element in the fight against financial crime especially for stolen or false identity use cases. The other critical information - which does not exist on the old version of ID cards - is the customer’s biometric picture in the contactless chip that allows us to perform facial biometric authentication. The method, basically verifies the customer’s biometric picture from TCKK with the face image of customer itself taken either by mobile device or tablets (tablet standing in front of the cash desk). National ID cards are based on ISO/IEC 14443 standard which is an international standard that defines the proximity cards used in Near Field Communication (NFC) operations and the transmission protocols used to communicate with it. To access the ID information and biometric picture on the contactless chip of the card, standard contactless card reader or NFC-enabled mobile devices need to be used. For the technical details of this method, the MRZ (Machine Readible Zone) field behind the ID is primarily obtained by using the Optical Character Recognition (OCR) method for identification serial number, date of birth and date of identification. The key required for Basic Access Control (BAC) needs to be generated from MRZ data. The production steps of this switch are described in ICAO 9303 standards. With these values, the key for BAC control is generated and the customer biometric picture in the ID is taken. The BAC security mechanism is used to prevent both the integrity and listening of communication between the contactless chip and the reader. After the basic access control (BAC) is performed, the name, surname, TC identity number, birth place, issuing institution and biometric information can be received from the contactless chip as specified in the ISO 19794-5 standards. For the usage of this KYC method, it is applicable to many different use cases either in mobile or bank branches. - in bank branches, officers will retrieve the customer information by using TCKK with standard card readers. - for mobile, as mobile devices already have NFC technology embedded, it is possible to retrieve the TCKK info with NFC.