Guide to Enhanced Measures 2025 – MASAK

The Guide to Enhanced Due Diligence Measures 2025 – MASAK. The reliability of financial systems is considered critically important, not only for economic stability but also for the preservation of social order. Furthermore, the increasing risks of money laundering and terrorist financing have necessitated that stricter supervision and control mechanisms be developed by financial institutions and certain professional groups. Consequently, Enhanced Due Diligence (EDD) measures are defined at this point, referring to a more comprehensive and detailed inspection process that goes beyond standard precautions.

Definition of Enhanced Due Diligence Measures

Enhanced Due Diligence measures are additional precautions that must be taken regarding high-risk customers, transactions, or countries within the framework of a risk-based approach. The objectives in this regard are as follows:

• Customer identity must be verified using stronger tools.
• The source and purpose of transactions should be understood transparently.
• The misuse of the financial system is prevented.
• Correct and timely notification to the relevant authorities is ensured in suspicious situations.

Therefore, these measures aim to minimize the risk of financial crime by surpassing standard Know Your Customer (KYC) processes.

Why Are They Necessary?

Serious risk factors are created for financial institutions today, particularly by:

• Crypto asset transactions,
• High-value international money transfers,
• Complex partnership structures,
• Politically Exposed Persons (PEPs),
• Connections to high-risk countries.

These risks pose a threat not only to monetary loss but also to the reputation and legal liability of institutions. Consequently, Enhanced Due Diligence measures are applied to detect and eliminate these threats in advance.

In Which Cases Are They Applied?

Some typical situations in which the measures must be applied are as follows:

• High-Risk Customers: Politically Exposed Persons, entities operating in offshore centers, and customers with a history of suspicious transactions detected.
• High-Risk Transactions: Funds of unusual size, high-volume transactions repeated in very short periods, or unexplained fund inflows.
• High-Risk Countries: Transactions associated with countries deemed risky for money laundering by international organizations.
• Remote Identification: Relationships where face-to-face contact with the customer is not established and identity verification is carried out solely through digital means.

Scope of Enhanced Due Diligence Measures

The Guide to Enhanced Due Diligence Measures 2025 – MASAK. The measures are not meant only by “requesting additional documentation.” They also include a broader systematic approach:

1. In-depth Identity Verification: Methods such as multiple identification documents, biometric verification, and address confirmation are used.
2. Analysis of Income and Source of Funds: Documents relating to the customer’s income level, business sector, and the source of their funds are requested.
3. Understanding the Purpose of the Transaction: The justification for the transfer, commercial relationship, or documentation of individual needs is required.
4. Senior Management Approval: Approval must be obtained from the institution’s senior executives before starting work with high-risk customers.
5. Enhanced Monitoring: Transactions are continuously and more intensely monitored, and unusual movements are reported.
6. Regular Updates: Customer information is updated at specific intervals, and changes are systematically tracked.

Benefits of the Application

• Regulatory compliance is ensured: Compliance with legal regulations protects against penal sanctions.
• Reputation is protected: The risk of being associated with activities like money laundering or terrorist financing is reduced.
• Operational transparency increases: Internal risk management functions more healthily.
• International cooperation is facilitated: The level of reliability is raised for institutions operating on a global scale.

The Difference Between Simplified and Enhanced Due Diligence Measures

Simplified Measures

The Guide to Enhanced Due Diligence Measures 2025 – MASAK. Not every customer or transaction carries the same risk level in the financial system. Therefore, institutions are allowed to implement simplified measures in certain cases, as the risk of money laundering or terrorist financing is considered quite low. This approach means that standard obligations are fulfilled in a mitigated manner.

For instance:

• Transactions carried out between financial institutions themselves,
• Transactions conducted with public administrations or professional organizations of a public institution nature that are within the scope of general administration according to Law No. 5018,
• Business relationships established through mass customer acceptance under salary payment agreements,
• Transactions related to retirement plans or retirement contracts providing retirement rights by deducting from employees’ wages,
• Transactions involving publicly traded companies whose shares are listed on the stock exchange,

are some situations that can be evaluated within this scope.

However, even if the implementation of simplified measures is permitted, these methods are overridden in situations where the risk is high or the possibility of a suspicious transaction exists. In such cases, obligated parties must resort to normal or Enhanced Due Diligence measures.

Enhanced Due Diligence Measures

The Guide to Enhanced Due Diligence Measures 2025 – MASAK. Conversely, Enhanced Due Diligence measures are applied for customers or transactions where the risk is high rather than low. These measures include the more comprehensive control steps that are implemented by financial institutions and certain professional groups within the framework of a risk-based approach.

The prominent applications within this framework are:

• Additional information must be collected about the customer, and the identity information of both the customer and the beneficial owner should be updated more frequently.
• More detailed information must be obtained about the nature and purpose of the business relationship.
• The most comprehensive possible information regarding the source of the funds and assets subject to the transaction must be acquired.
• Starting a business relationship with the customer or continuing an existing one is made conditional on the approval of the institution’s senior management.
• The number and frequency of controls are increased; certain types of transactions are placed under additional surveillance.
• In the event that a continuous business relationship is established, the first financial movement is required to be made through a reliable financial institution where identity verification processes were applied.

Furthermore, the Ministry is authorized to determine separately the situations considered high-risk and the additional measures to be applied in these situations.

When Should EDD Be Applied? (Concrete Criteria)

EDD must be applied if any of the following situations are involved:

• High-value cash transactions, high-volume transfers repeated in a short period, or unusual transaction patterns.
• The customer’s country/the transaction’s country is classified as high-risk.
• Complex, non-transparent legal structures or chain partnership schemes.
• Significant uncertainties or inconsistent information in relationships established through remote identification.
• Relationships with crypto asset service providers or privacy coins.

Remote Identification — Practical Rules

• Remote KYC should only be used on a risk-based approach; it should not be an automatic choice for every new customer.
• A customer profile must be created during remote verification: the purpose of the business relationship, expected transaction volume, and summary information on income should be collected.
• A combination of video verification, document OCR, and liveness check must be utilized; face-to-face confirmation is required to be requested in suspicious cases.
• If unusual activity is observed during the relationship initiated with remote verification, identity verification should be repeated face-to-face.

Points to Note in Crypto Transfers and CASP Relationships

• The sender/recipient history and suspicion of mixer/tumbling must be scanned through chain analysis.
• Transfers involving multiple chain bridges or anonymization layers should be considered high-risk.
• The counterparty’s KYC/AML policies, cold wallet management, and approach to privacy coins should be examined when entering into a business relationship with a CASP (Crypto Asset Service Provider).
• Controls on the compatibility of crypto sources with classic bank accounts (ID/account matching) must be strengthened.

Beneficial Owner Determination — Applicable Steps

• Direct and indirect shareholder structures must be resolved through company documents.
• Chain ownership analyses should be performed; both share ratio and effective control criteria should be examined for the determination of the ultimate beneficial owner.
• Control signals such as power of attorney, management authorities, and veto rights must be evaluated.
• If suspicion exists, EDD should be activated, and the process must be made subject to senior management approval.

Internal Organization: Who Should Do What?

• Compliance Policy (AML/KYC): A policy compliant with the guide, including risk classification and updated periodically, must be established.
• Compliance Officer (MLRO): EDD decision processes, authorization powers, and the reporting schedule must be clarified.
• Internal Controls & Internal Audit: EDD applications should be audited periodically; findings are required to be reported to senior management.
• Training: Regular training should be conducted on remote identification, crypto risks, and chain analysis tools.

Suspicious Transaction Report (STR/SIB) — Application Practices

• When suspicion arises as a result of an EDD review, the situation must be immediately documented: communication records, analysis reports, and transaction chain visuals should be retained.
• Clear criteria for the Suspicious Transaction Report (STR/SIB) decision must be defined within the SOP, and the notification timing is required to be adhered to.
• STR/SIB processes should be regularly reviewed to reduce false negatives.

Technology and Analytics: Which Tools Are Essential?

• KYC Platforms: Integrated tools for OCR, liveness, and PEP/Sanction screening.
• Transaction Monitoring (TM): Both rule-based and behavioral (ML-supported) engines.
• Blockchain Analytics: Address tagging, risk scoring, and mixer detection modules.
• Case Management: Centralized recording and reporting infrastructure for the review process.

Technology does not replace human decision-making; however, it provides critical support in risk detection and prioritization.

90-Day Implementation Roadmap (Quick Start)

Days 1–30: The guide must be internalized, a gap analysis should be conducted, and a policy update plan should be created.

Days 31–60: The remote KYC SOP should be reviewed, necessary technological improvements must be identified, and CASP relationships should be ranked by risk.

Days 61–90: EDD rules are required to be applied to pilot customers, training must be completed, and internal audit checklists should be implemented.

Measurable KPI Suggestions

• Average EDD review duration (hours/days),
• False-positive rate of alerts generated by TM,
• Review duration per STR/SIB,
• Approval duration for high-risk customers,
• Internal audit compliance scores.

Practical SOP Example (Brief)

SOP: High-Risk Customer Approval

1. A risk score is calculated when a customer is onboarded.
2. If the risk score exceeds a certain threshold, EDD is triggered.
3. Additional documents/transaction sources are requested under EDD; a chain analysis report is prepared.
4. The review result is presented for senior management approval.
5. The approval/rejection decision is recorded in the database; consequently, the relationship termination process is initiated in case of rejection.

SOURCE