FinTech Sector in Turkey: Critical Legislative Amendments
The Regulation Amending the Regulation on Payment Services and Electronic Money Issuance, Payment Service Providers (“Amending Regulation”) and the Communiqué Amending the Communiqué on the Management and Supervision of the IT Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services Area (“Amending Communiqué”) has been published on the Official Gazette on October 7, 2023.
The relevant stakeholders have been eagerly anticipating the Amending Regulation and Amending Communiqué due to their significant impact on the business models of fintech companies. As expected, the Amending Regulation has introduced the significant provisions, including digital wallet services, which are regulated under the Turkish law for the first time.
In this regard, the following are the significant amendments made regarding the Regulation on Payment Services and Electronic Money Issuance, Payment Service Providers (“Regulation”) and the Communiqué on the Management and Supervision of the IT Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services Area (“Communiqué”).
The Central Bank of the Republic of Turkey (“CBRT”) previously categorized the digital wallet services within the scope of payment service, under the Guidance on Associating Payments Business Models with Payment Service Types, published in September 2022 and the Guidelines on Data Sharing Services in Payment Services, published in April 2023. However, the secondary regulations did not embody any provisions on digital wallet services.
For the first time, with the publication of the Amending Regulation, digital wallet services have been introduced to the Turkish payment legislation and are now considered as payment services, which provokes the license requirements for digital wallet service providers. In this regard, in order to provide digital wallet services, these service providers will be required to obtain a license as a payment service provider and/or electronic money institution (“Institution”) from the CBRT.
The Institutions who were already providing digital wallet services must obtain authorization from the CBRT within one year from the Regulation’s effective date, namely October 7, 2024.
Definition of Digital Wallets
The Amending Regulation defines the digital wallet as a payment instrument which has the following characteristics:
offered as an electronic device, online service or application,
stores the information relating to the payment account or instrument defined by the customer,
enables the customer to perform a payment transaction using the information relating to the payment account or instrument defined by the customer.
Exemptions of the Digital Wallet Services
In addition to the exemptions regulated under the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Law”), the Amending Regulation underlines the following services are not within the scope of digital wallet services:
Services provided by an Institution which can only identify and store the payment account held and payment instrument issued by the same Institution,
Services that store sensitive customer data on behalf of the business or the Institution that provided payment service, within the limits permitted by the legislation, that are not a direct party to any legal transaction with the customer, that do not create the impression on the customer that the payment transaction is performed through the custodian legal entity, where the custodian legal entity does not own the fund subject to the payment transaction at any time during the payment transaction, and that the rights and obligations regarding the activity carried out are clearly determined in the contract concluded between the parties.
Licenses for Digital Wallet Services
The Amending Regulation foresees that digital wallet service providers must obtain the following license based on the characteristics of their services:
For all digital wallet services
The Institution must be at least authorized for the issuance of payment instruments.
Depending on the services provided to the customer using the digital wallet, the Institution must be authorized to operate under the relevant licenses as well. For digital wallets being used as a payment instrument at businesses and funds related to these payment transactions are transferred through the Institution providing digital wallet service*
The Institution must be authorized for the issuance of electronic money.
For digital wallets that are valid in a way that the payment account within another Institution identified for the digital wallet or the payment instrument issued by another Institution is directly used for payment transactions carried out at businesses
The Institution must be authorized for the payment initiation services.
*The transfer of the funds related to the payment transaction through the organization providing digital wallet service is not considered within the scope of such authorization since the organization providing digital wallet service provides the necessary payment services to the business for the direct use of the payment account or payment instrument defined in the digital wallet in the payment transaction to be carried out at the business.
Expansion of the Activities of the PSPs
The Regulation had established a strict regime regarding the activities of the payment service providers (“PSPs”). The Amending Regulation expands the range of activities that can be carried out by the PSPs as follows:
PSPs may provide (i) value-added services to legal entities and (ii) qualified services to natural persons:
The value-added services are defined as “services that facilitate, secure or increase the efficiency of administrative and operational processes of legal entities and businesses, such as commercial debt and receivable management, accounting, invoicing, product, stock and supply management”.
The qualified services are defined as “services that do not fall within the scope of payment services as per the Law but facilitate, secure or increase the efficiency of payment services offered by supporting the financial status and financial awareness of natural persons, such as individual budget management, invoice management, account verification, reminders regarding payments”.
PSPs may provide services as an interface provider, as stipulated under the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“Digital Banks Regulation”), except for transactions related to the purchase and sale of precious metals, precious stones and foreign exchange.
Pursuant to the Digital Banks Regulation, the interface providers are responsible for enabling their customers to perform their banking transactions by accessing the banking services offered by the service bank through the bank’s open banking services via its mobile application or internet browser-based interface.
PSPs may provide ancillary services that may increase the use of their payment services, such as marketing and directing the customer to the systems of the relevant financial institution in order to access the services of financial institutions whose activities are regulated and supervised by a competent authority within the framework of the relevant legislation, except for transactions related to foreign exchange.
PSPs may provide services within the scope of intermediation in activities related to the purchase and sale of processed precious metals and precious stones, provided that the amount of transactions to be intermediated by the PSPs within a month is limited to a maximum of 1% of the payment volume of the previous calendar year calculated in accordance with the Regulation.
Expansion of the Activities of the Open Banking Institutions
The PSPs authorized for open banking services, namely (i) payment initiation services and (ii) service of presenting consolidated information regarding the payment account on online platforms, were only allowed to provide value-added services to legal entities pursuant to the Regulation.
With the recent amendment, PSPs authorized for open banking services can provide qualified services to natural persons, including individual budget management, invoice management, account verification, reminders regarding payments.
Equal Treatment Rule
The Regulation already regulates the obligation of PSPs with regards to providing the payment account services and infrastructure services related to payment services to another PSP that wishes to use these services, on the same terms and conditions as it provides them to its other business customers, business partners and other PSPs whom it transacts.
The Amending Regulation further sets forth that, in the event that a PSP’s payment account services and infrastructure services related to payment services are used by other PSPs, including a PSP over which it has control (i.e. banks and their affiliated Institutions):
The PSP must offer the same services of the same nature to PSPs that are under their control and other PSPs under the same conditions and facilities and with the same fee policy, and
The PSP cannot direct or coerce its customers to receive services from the PSP that it has control over in a manner that would give an advantage over other PSPs.
Deadlines on License Applications
The Amending Regulation introduces novel deadlines regarding the license applications:
Notification Phase: The deficiencies in the information and documents at the initial notification made for the license application must be corrected within 3 months following the notification of the CBRT letter regarding the deficiency. If not corrected, the license application will be deemed as not filed.
License Expansion Phase: If the deficiencies in the information and documents related to the application for expansion of activity are not corrected within 6 months following the notification of the CBRT letter regarding the deficiency, the application will be deemed as not filed.
Cross-Border Data Transfers
Pursuant to the Communiqué, PSPs are required to keep their primary and secondary systems in Turkey. Additionally, it is regulated that outsource service providers are also required to keep their information systems within the borders of Turkey, if PSPs outsource services regarding the execution of payment transactions between customers.
On the other hand, with the Amending Communiqué, a more flexible regime is foreseen regarding the data localization requirement. PSPs are now allowed to share the required data with the relevant third parties abroad where one of the parties to the payment transaction is located abroad, depending on the request or instruction received from the customer regarding the payment transaction, provided that:
the data continues to be stored domestically,
it is limited only to the extent required for the smooth performance of the payment transaction,
in accordance with the principle of proportionality,
without prejudice to the obligations regarding the Article 9 of the Law on Protection of Personal Data No. 6698, which regulates the international transfer for personal data.
Furthermore, the CBRT is authorized suspend or impose additional limitations on such cross-border data transfers, if it determines that these transfers will adversely affect the development of the payments area as a result of its assessment.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya