Turkey: New Era In The Turkish FinTech Industry

The Central Bank of the Republic of Turkey ("CBRT") has published two new pieces of legislation ("Secondary Legislation").

1) Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers ("Regulation")

2) Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services ("Communiqué on Information Systems")

The Secondary Legislation includes:

• Innovations on business conduct and information systems of current Payment Institutions ("PIs") and Electronic Money Institutions ("EMIs") "(hereinafter referred to as the "Institutions" together), and
• Certain rules companies offering open banking products must follow to obtain a license and perform their activities.

It is possible to summarize the highlights of the significant points introduced by the Secondary Legislation as follows. The details of the relevant headings are available in our article.

1. Obtaining a license is made subject to three stages

2. Minimum equity amounts are set, and obligations regarding professional liability insurance are imposed on certain institution types

3. Amounts of minimum and base collaterals that institutions must maintain before the CBRT are set

4. The way is paved for FaaS and WaaS business models

5. The way is paved for the Payment Funds Protection Accounts to be lent in overnight interest

6. Stable coins meeting certain conditions are included in the scope of electronic money.

7. Details of services rendered as part of open banking are determined

8. Institutions exclusively offering open banking services are allowed to provide value-added services while maintaining applicable operational limits of institutions

9. The limited network exemption is narrowed as part of the business model, and an obligation is introduced for making a notification to the CBRT about those who benefit from the limited network and agent exemptions with an annual transaction volume in excess of TRY 50 million

10. A merchant registration system is established before the Interbank Card Center ("BKM") for the prevention of activities that involve fraud and malicious uses

11. Rules on prepaid instruments and minor people are tightened

12. While identity authentication using remote communication tools is introduced, the soft KYC is restricted

13. Obligations regarding information systems have been aligned to the Regulation on Information Systems of Banks to a considerable extent

14. Cooperation between Institutions and companies abroad are made subject to strict rules

15. Companies in which institutions may hold shares are limited by their field of activity.

16. Sectoral practices regarding foreign service, board of directors, and corporate governance are reflected in obligations.

17. New obligations are introduced in terms of risk management, and the CBRT is granted authorization to request the suspension of the authority of independent audit firms

18. Matters regarding the protection of funds are clarified

19. Detailed regulations regarding contracts and payment transactions are introduced

20. Periods of compliance with, and transition to, the secondary regulations are set.

1. Obtaining a license is made subject to three stages.

• The process of applying for authorization, namely for license, for being a payment or e-money institution, is divided into three stages as follows: "Stage of Preliminary Application" which is to be filed before the CBRT before trade name is registered to the Trade Registry; the " Stage of Intelligence Review", which is to be conducted within six months after the completion of the initial stage; and the " Stage of Final Approval," which is to be conducted afterward.
• During the stage of Intelligence Review, the CBRT shall be informed regarding fields of activity, financial structure, and qualified shareholders of the companies. The Stage of Final Approval shall be initiated if the stage of intelligence review yields a positive result. At the stage of final approval, companies shall be expected to provide information on their capital, technical, personnel, workflows, insurance and coverage statuses, and their independent (technical and financial) audit reports.
• The license application fee has been fixed as TRY 500,000, and the license fee as TRY 1 Million, which is payable for once.
• A strict schedule is set for the stages of intelligence review and final approval.

(!!!) Before the Regulation, the PIs and EMIs had to fulfill their respective requirements, such as the employment of human resources before applying for a license. This situation was subject to criticism as it generated costs due to reasons such as an applicant company had to pay salaries when it was not active. With the three-phased license application model introduced, this situation is now eliminated. However, the Regulation has set a strict schedule for companies to apply; thus, the roadmap for authorization application has to be determined with meticulous attention.

2. Minimum equity amounts are set, and obligations regarding professional liability insurance are imposed on certain institutions.

• Minimum equity amounts have been set as TRY 3 Million for payment institutions that mediate invoice payments, TRL 5 Million for other payment institutions, and TRY 13 Million for electronic money institutions. These amounts shall be re-evaluated by the CBRT every year in January, considering the annual changes in the price indices published by the Turkish Statistical Institute.
• It is stipulated that the above-mentioned equity amounts represent the minimum amounts irrespective of the payment volume. In the event that required equity amounts to be determined using the formula (introduced in the Regulation) to be calculated gradually in line with the payment volumes of the Institutions are high, then the amount determined as such shall be valid.
• Institutions providing AIS services exclusively are exempted from the liability for minimum equity; Institutions that offer PIS, on the other hand, are under the obligation to provide a minimum amount of equity even if they offer this service exclusively (neither there is any specific capital limit for AIPSs in accordance with Law ?6493).
• Institutions that exclusively offer AIS are required to have professional liability insurance bearing an amount of at least TRY 1 Million. A rule has been adopted to increase the said insurance coverage by TRY 500.000 for every 100 thousand new customers.

3. Amounts of minimum and base collaterals that institutions must maintain before the CBRT are fixed.

• The amounts of collaterals that Institutions must maintain before the CBRT have been determined separately as "minimum" and "base" collaterals.
• The minimum collateral amounts have been set as TRY 2 Million for payment institutions that mediate invoice payments, TRL 3 Million for other payment institutions, and TRY 5 Million for electronic money institutions.
• The base collateral amount of the institutions is set using a formula that is to be calculated gradually, taking into account the number of customers.
• In addition, an institution is required to have additional collateral in the amount of TRL 500.000 for each 1000 agents, of which payment services are provided through.
• No obligation has been introduced for minimum collateral for payment institutions that exclusively provide AIS.

4. The way is paved for FaaS and WaaS business models

• Procedural requirements regarding the agents were detailed, and it is made obligatory to forward the necessary information and documentation regarding the agents to the Association of Payment and Electronic Money Institutions of Turkey ("Association"). At the same time, institutions are rendered to be responsible for paying attention to the selection of their agents.
• The electronic agency model is introduced.
• An institution is prohibited from authorizing third parties in any way for the purpose of providing payment services other than using an agent and signing a contract with third parties under a name other than the agency contract. This rule is considered to be tightening the cooperation options aiming to provide payment service with third parties.
• While the provisions regarding the opening of branches by institutions are basically preserved, they are now required to submit their branch lists.

The legitimacy of business models such as FinTech As A Service ("FaaS") or Wallet as a Service ("WaaS"), which have been on the rise all over the world recently, with Law numbered 6493 was a question mark. It is considered that with the electronic representation introduced by the Regulation, the way for these business models to be carried out in accordance with the Law has been paved.

It is considered that this is a positive development for FinTech players who do not want to be subject to a license but are willing to enjoy the benefits of FinTech products. We believe that said agent model would surely contribute positively to the Turkish FinTech market.

5. The way is paved for the Safeguarded Payment Funds to generate revenue.

• Institutions are allowed to lend their safeguarded funds on an overnight interest at the bank where the fund is held. However, the same permission is not granted for electronic money protection accounts.

6. Eligible stable coins are included in the scope of electronic money.

• It has been stipulated that intangible assets that are issued only in exchange for any one-to-one nominal currency and generated virtually and distributed over digital networks shall be accepted as electronic money provided that they are i) issued in exchange of funds accepted by the issuing entity, ii) electronically stored iii) used to perform payment transactions as defined in the Law and iv) accepted as a means of payment by real and legal persons other than the issuer.
• It has been regulated that the CBRT would make a separate regulation regarding the intangible assets that are to be included in the above scope.

It is considered that the financial instrument described above is close to stable coins due to its nature. In this context, stable coins that are likely to fall within the scope of the Regulation shall be considered as electronic money from now on, so companies that issue such coins shall be subject to licenses.

7. Details of services rendered as part of open banking are set

• The Interbank Card Center ("BKM") has been identified as the sole aggregator for AIS and PIS. Therefore, payment service providers ("PSPs") shall perform data exchange via the BKM in connection with open banking activities.
• The BKM has been authorized by the CBRT to check whether the technical and operational requirements to be published regarding open banking services (AIS and PIS) have been complied with, and BKM's approval has been made a condition for obtaining an operating permit.
• It has been made obligatory for all PSPs to make their payment accounts available to all other authorized PSPs that make a request, by connecting to the BKM within 6 months at the latest, after obtaining the necessary permissions and starting their operations, for all PSPs that have a payment account related to AIS and PIS.
• It is obligatory that the fees, expenses, commissions and other benefits that the PSPs with a payment account shall charge to the authorized PSPs regarding the AIS and PIS should be at a reasonable level, directly associated with and proportional to the costs that can be associated with such work. The CBRT is granted the authority to fix the maximum/minimum sums in this regard or to decide whether these services should be performed (between the PSPs) at no cost.
• The CBRT is granted the authority to regulate which data can be shared as part of open banking activities by taking the Competition Authority's opinion on competition-sensitive data.
• Current accounts, transaction accounts, credit card accounts, electronic money accounts maintained at PSPs, as well as accounts opened on behalf of customers and where funds can be transferred to other people without being tied to another account and account other than where temporary movements are monitored, are defined as payment accounts within the scope of open banking activities. The CBRT is granted the authority to make a final decision about which of the accounts used for the services provided by the PSPs would be considered as payment account pursuant to the Law numbered 6493.
• Operational and data flow rules applicable for accessing payment accounts during the delivery of PIS and AIS have been determined.

8. Institutions exclusively offering open banking services are allowed to engage in value-added services

• The activities that can PIs and EMIs - e.g., outside the payment system - are allowed to engage in are preserved. In addition, the Institutions are authorized to trade foreign currencies under certain conditions.
• Institutions exclusively providing Open Banking services are allowed to provide "value-added services" with respect to administrative and operational processes of legal entities and merchants and "information services related to other accounts held before PSPs and not considered as payment accounts.". Value-added service, on the other hand, is defined as follows: "services that do not fall under payment services pursuant to the Law numbered 6493, but that facilitate, secure or increase the efficiency of the administrative and operational processes of legal entities and traders such as trade debt and receivable management, accounting, invoicing, product, stock and supply management".
• The ban on lending by institutions still continues, and mobile payments are preserved as an exception to this situation as in the past, but some restrictive regulations are introduced.

(!!!) Before being defined as licensed services, Open Banking services in Turkey were majorly being provided by companies that offer either ERP services or other additional services such as invoicing, product, stock, and supply management among others. It was a matter of curiosity how these companies would act within the limits of activity field specific to the Institutions when they obtained a license from the CBRT so that they could continue to offer open banking services.

The Regulation provides flexibility in this regard, allowing the institutions providing Open Banking services to provide value-added services and information services related to other accounts held with payment service providers that are not considered payment accounts.

To state the practical result of this situation, companies falling under the said scope shall be able to continue to offer services other than payment services as long as they continue to be included in the scope of "value-added services." However, as these companies offer open banking services, they shall have to obtain a license as a payment institution and fulfill all obligations to which payment institutions are subject in any case. For this reason, it may be possible for these companies to prefer to offer open banking services through agent model as an alternative.

9. The limited network exemption is narrowed, and an obligation is introduced for making a notification to the CBRT about those who benefit from the exemptions with an annual transaction volume in excess of try 50 million.

• Companies that provide payment services by making use of the limited network and/or commercial representative exemptions are obliged to notify the CBRT in January each year if the amount of transactions they have performed within this scope in the last 12 months exceeds TRY 50 million. The CBRT is authorized to include these services in the scope of payment or electronic money services. Therefore, it may be necessary for these institutions to obtain a license.
• In order for companies to benefit from the limited network exemption for prepaid instruments that can only be used in a certain service network, the relevant payment tool must be used only for purchases made from a certain store or chain of stores in order to benefit from this exception. The same obligation has also been introduced in terms of payments.
• However, it is stipulated that prepaid instruments designed to be valid in all merchants, which are added to the merchant chain where the prepaid cards can be used within the scope of the contract executed with the issuer, may not benefit from the limited network exception.
• In case the payment instrument is used as a payment method in the merchants, and the amount of the payment transaction is transferred through the issuer in connection with such transactions, it is stipulated that the issuer must be authorized to issue electronic money.

Companies that offer prepaid instruments and offer marketplace or loyalty card business models that dynamically add new brands to their scope may need to re-evaluate their business models within the framework of this provision.

10. A merchant registration system is established before the BKM for the prevention of activities that involve fraud and malicious uses

• In order to prevent instances of fraud and malicious use in the field of payments, a Merchant Registration System is established before the BKM. The Institutions are obliged to notify their contracted merchants of such a system and to check the system prior to making a contract with any merchant.
• The Institutions are subject to the rule that no service may be provided to a merchant if there is a ban imposed the Merchant Registration System on providing service to such merchant, and in the existence of such a ban, Institutions are obliged to make necessary assessments within the framework of the risk management process, taking into account the content of the available records.

11. Rules on prepaid instruments and minor people are tightened.

• The field of use of anonymous prepaid instruments is limited to the payment transactions where the prepaid instrument holder is physically present at the merchant, and the anonymous prepaid instrument is physically used, and also to the purchases of goods or services and invoicing transactions performed by service providers and intermediary service providers who receive the Trust Stamp (a trust certification for e-commerce service providers).
• Electronic communication operators are obliged to offer mobile payment services to their prepaid or postpaid subscribers in a closed manner at the first stage.
• The provision of mobile payment services to non-adult prepaid or postpaid users ("subscribers") by electronic communication operators is made subject to the condition that the legal representative of the minor has given approval for these transactions. However, in cases where a subscriber does not declare that the user of the line is a different person and is a minor during or after the establishment of a contract, it is accepted that the user of the line is a subscriber and an adult, that is, a kind of Opt-Out system has been adopted for this purpose.
• With the exception of anonymous prepaid instruments, the rule of obtaining the approval of the legal representative of a minor, recording the approval obtained, establishing the necessary procedures for the first-time issuance of a prepaid instrument to a minor, and opening an electronic money account is introduced. In addition, the obligation to develop monitoring applications that shall enable the legal representatives to follow relevant transactions and to make them available when requested by these persons is introduced.

12. While digital onboarding is introduced, the type of transactions that could be carried out by simplified measures is narrowed

• Institutions are provided with an opportunity to conclude contracts with users via remote communication tools ("Digital Onboarding").
• It is stipulated that there is a possibility that information and documentation required to be obtained from a customer regarding a framework contract to be established via a remote communication tool can be obtained through a central structure that is approved by the CBRT. In this context, there is a possibility of establishing a central digital identity provider in the near future.
• It is made obligatory to onboard customers that will perform a series of payments, which are maintained under a framework contract and which are continuous in nature, via remote communication or face to face.

Banks were given the opportunity to acquire customers digitally within the limits of the Regulation published by the Banking Regulation and Supervision Agency this year and subsequently by MASAK. The opportunity for FinTechs to benefit from this opportunity has been expected for a long time. With the Regulation, we can say that this opportunity has opened up. However, on the other hand, it would not be wrong to say that FinTechs' room for simplified measures, which has an advantage over banks, has been narrowed due to the new regulations in the Regulation.

13. Obligations regarding information systems have been aligned to the Regulation on information systems of banks to a considerable extent

• Considering the amendments introduced by the Communiqué, it is noted that the obligations of the Institutions regarding information systems have been largely aligned with the "Regulation on Information Systems and Electronic Banking Services of Banks".
• It is considered that the obligations imposed on the Institutions with respect to information systems have a very wide and detailed scope, therefore the Institutions should review their information system practices thoroughly.
• It is possible to divide the headings contained in the Communiqué into the following main headings: Generating security information for customers; rules on the internal governance of information systems; generation of software and hardware inventories; generation of secure standard configuration information on all devices available within the organization; network segmentation; new rules for authentication; and details of penetration tests.

14. Cooperation between Institutions and companies abroad are made subject to strict rules

• Cooperation between the Institutions and legal entities abroad is made subject to the condition that the legal entity abroad has obtained the necessary permission from the CBRT.
• The scope of such cooperation is limited to the provision of payment services covered by the Law by the Institution to its domestic customers through a legal entity residing abroad, and only to such payment services where at least one of the payer or payee is seated abroad.
• It is stated that if the log records pertaining to services offered as part of such cooperation are kept by the Institution, the information systems of the legal person residing abroad shall not be required to be hosted in Turkey.
• The CBRT is granted the authority to impose additional equity and collateral obligations on the Institutions that cooperate abroad.

15. Companies in which institutions may hold shares are made limited by their field of activity

• Companies in which the Institutions may be shareholders have identified as i) companies that issue electronic money, i) companies that provide payment services, iii) companies that provide payment services within the scope of exemptions, such as limited network or commercial representative exemptions, iv) companies that provide services for institutions within operating limits and v) companies that provide value added services. And the Institutions are prohibited from holding shares in any companies that fall outside this scope.
• The Institutions are made obliged to notify the CBRT in case of acquiring shares in other companies, and the CBRT is granted authority to request an Institution to take measures to prevent this situation if it decides that it may adversely affect the activities of the Institution. If these measures are not taken, the CBRT holds authority to request the Institution to suspend the transaction or to revert to the former situation in case the transaction has been completed.

16. Sectoral practices regarding outsourcing, board of directors and corporate governance are reflected in obligations.

• The obligations related to Out Sourcing, Board of Directors, and Corporate Governance are maintained to a large extent, however, some sectoral practices are clarified and introduced into the scope of obligations, and minor additional obligations are introduced.
• It is clarified that the control of activities carried out by the representatives or through outsourcing shall be subject to internal control processes.
• It is clarified that, during the outsourcing process, an institution is obliged to show utmost attention and perform due diligence if necessary in the selection of the outsourcing service provider, to clarify the obligations of such outsourcing provider in a contract, and to manage these risks effectively, taking into account such additional risks that may arise from outsourcing.

17. New obligations are introduced in terms of risk management and the CBRT is granted authorization to request the suspension of the authority of independent audit firms.

• A risk management system should be established that shall identify all risks that may result from any activities performed by the Institution, or connections with other institutions that are involved in the activities performed, or payment systems attended, or external service providers, representatives and other issues related to the activities carried out, and that may endanger the smooth performance of activities, and the system shall ensure that such risks are managed in an effective manner.
• As part of risk management activities, a rule is introduced for the conduct of necessary investigations, primarily through social media and online platforms, to determine whether services provided by the Institution under the Law numbered 6493 are used in illegal activities, especially for illegal betting, and to take necessary measures to prevent such deals.
• The CBRT is granted the authority to decide that independent audit services are not obtained from any specific independent audit firm by the Institutions, if it deems necessary.
• The Institutions are required to establish a business continuity plan.

18. Matters Regarding the Protection of Funds are Clarified

• A rule has been introduced that payment funds required to be deposited into the protection accounts must be calculated as of 15.00 p.m. on a full business day or at 11.00 a.m. on a half business day.
• A rule is introduced that service fees received in the form of commissions, fees and etc., in relation to the issuance of funds and electronic monies shall be collected through segregation thereof and that the service fees received shall not be reflected in electronic money protection accounts.

19. Detailed Regulations Regarding Contracts and Payment Transactions Are Introduced

• The items that should be included in Single Payment and Framework Contracts to be signed with consumers are detailed, and the conditions applicable for establishing these agreements via remote communication tools are regulated.
• Entities are now made obliged to clearly inform consumers of their respective rights.
• The CBRT is granted authorization to determine and to partially or completely release, the qualifications, maximum amounts or rates of fees, expenses, commissions, and other benefits that are collected by one of the parties to a transaction performed under any name regarding a certain type of transactions within the scope of payment service and electronic money issuance.
• The Institution where the payment account is available is granted authorization to block access to the payment account by the account information service provider or the payment order initiation service provider for any objective and demonstrable reasons, such as fraudulent or unauthorized access to the payment account or attempts to initiate a payment transaction in a fraudulent or unauthorized manner.
• The responsibilities of the parties regarding notification, correction, and proving issues are regulated in terms of deals that are not authorized or are performed incorrectly during the PIS.

20. Periods of Compliance with and transition to the Secondary Regulations are set

• The deadline has been set as December 1, 2022, for the period of compliance with the Regulation for such Institutions that already hold a license.
• The deadline has been set as December 1, 2022, for the companies who applied for a license prior to the effective date of the Regulation (compliance with the provisions of the Regulation on equity and collateral liability and with the provisions on the protection of payment funds and the protection of funds collected in return for electronic money is required in any case; otherwise no operating license shall be granted).
• The deadline for the Institutions providing Open Banking services to align their activities with the operation limit set in the Regulation has been set as 1 year after obtaining a license.
• In terms of the business models of such Institutions that cooperate with an entity abroad, the deadline for the cooperating entity to apply to the CBRT for a permit has been set as June 1, 2022.
• The deadline for obtaining an operating license for such Institutions that cannot benefit from the limited network exemption has been set as December 1, 2022.
• The deadline for obtaining an operating license for issuers of crypto-assets specified in the Regulation has been set as December 1, 2022.
• Apart from the above, various deadlines have been set for compliance with the Regulation, such as of contracts (e.g., agency agreements), business models (e.g., mobile payment), or situations (e.g., owning shares in other companies) in various fields.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.