News & Insights
Regulatory Approaches in the Fintech World: A Lawyer’s Guide to Fintech - Chapter 3
Onur Küçük | MANAGING PARTNER23.08.2023
In Turkey, regulations ensure that payment service providers and electronic money institutions operate in accordance with topics such as licensing, capital adequacy ratios, and consumer protection. These regulations and rules are implemented to ensure stability, security, and sustainable growth in Turkey's financial sector. The effects of financial regulations are seen in the protection of consumers and investors, a more transparent and fair financial system, and the management of risks in the financial sector. As a result, Turkey's financial sector achieves a stronger, more robust, and innovative structure and becomes more effective in global competition.
1. Regulation Index
1.1. Payment Systems and Services
Payment systems are systems that serve a structure where fund transfers are made as a result of transfer orders sent within the framework of common rules by three or more participants. Payment systems provide infrastructure for payment services by ensuring the clearance and reconciliation of payment transactions of financial institutions. Card reconciliation systems, Electronic Fund Transfer (EFT), and Immediate and Continuous Fund Transfer (FAST) are frequently used payment systems in Turkey. There are 5 institutions operating in Turkey and licensed as a payment system by the Central Bank of the Republic of Turkey: Interbank Card Center, Takasbank, Garanti Payment Systems, Paycore, and Bileşim.
Payment services, on the other hand, are services that facilitate the execution of payment transactions. Payment services allow for the transfer of money between the accounts of individuals and businesses. These services assist in the safe and effective execution of payment transactions. Payment service providers include financial institutions such as banks, electronic money institutions, and payment institutions. Payment services are provided with various payment methods such as credit card transactions, wire transfers, EFT, direct debit, and digital wallets. Payment services offer convenience and speed to consumers and businesses in their daily financial transactions. The regulations made in these areas can be listed as follows;
• Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions
• Regulation on the Activities of Payment and Securities Settlement Systems
• Regulation on the Oversight of Payment and Securities Settlement Systems
• Regulation on Check Clearing Activities
• Notification on Information Systems Used in Payment and Securities Settlement Systems
Law No. 6493 regulates the procedures and principles related to payment systems, payment services, payment institutions, and electronic money institutions. The definition, scope of the payment system, the conditions to be a system operator, the activity permission process, the supervision of the systems, and the necessary precautions are detailed with the relevant law. Law No. 6493 specifies the payment service and activities that will not be covered by the payment service. The areas of activity of payment and electronic money institutions are defined, and the provisions regarding the granting and termination of the activity permit are specified.
One of the most significant changes in this field is that the authority to license, regulate, and supervise payment services was transferred from the Banking Regulation and Supervision Agency (“BRSA”) to the Central Bank of the Republic of Turkey (“CBRT”) in 2020. Lastly, open banking in the field of payments is included in the scope of payment services as payment service data sharing services with the update in 2019.
1.2. Electronic Money and Payment Institution
With the ‘Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers’, the procedures and principles related to the commencement of activities of payment services and electronic money institutions, the provision of payment services, and the issuance of electronic money are specified. Payment services are classified, and guidelines for companies on providing payment services are included.
The relevant regulation describes the permission process for payment and e-money institutions, detailing the conditions and necessary documentation for this process. These documents are primarily guides that associate the business models offered in the payments field with types of payment services.
Additionally, certain obligations are imposed on companies to protect the rights of fund holders and to comply with regulations. A Business Registration System (İKS) is established for payment service providers to ensure security in payment services, and this is operated by BKM (Interbank Card Center). The regulation details the transactions that companies cannot perform and stipulates the conditions for the use of funds held in customer payment accounts. Lastly, it is indicated that companies can operate through representatives, and the conditions they need to adhere to when conducting these activities, as well as the principles related to 'Account Information Service and Payment Order
Initiation Service' under open banking services, are determined.
1.3. Information Systems in Payment Services and GEÇİT Infrastructure
The ‘Notification on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services by Payment Service Providers’ was published on December 1, 2021, and the Open Banking Press Release was published on December 1, 2022. Institutions are required to establish security systems and secondary systems to prevent any disruptions in their operations and to periodically test them.
There's a requirement for the systems to be located domestically, and for system servers to undergo vulnerability scans at least six times a year, and conduct a risk assessment at least once a year. Apart from anonymous prepaid instruments, institutions are required to establish an identity verification system. They must also prepare a continuity plan for their information systems. To facilitate the integration of open banking stakeholders, a common platform was designed in collaboration between CBRT and BKM, and accordingly, the ‘GEÇİT’ infrastructure was established, allowing financial service users to manage their accounts with different payment service providers from a single access point.
1.4. TR QR Code
With the TR QR Code Regulation released on August 21, 2020, standards for QR codes used in payment services in Turkey were determined. This regulation elaborated on the principles related to the production and usage of the TR QR Code. The TR QR Code projects are carried out in collaboration between CBRT and BKM. To generate a TR QR Code, a QR code producer code is needed, and one must apply to BKM. For the TR QR Code to be used in various payment systems and services, the CBRT developed technical principles and rules. Currently, the TR QR Code is available in 91% of ATMs and 65% of POS devices. With the TR QR Code, individuals can withdraw money from ATMs, make payments via POS devices, and perform individual money transfers.
1.5. Digital Banking
The Regulation on Operating Principles of Digital Banks and Service Model Banking (“Digital Banking Regulation”) introduced regulations regarding the establishment and operation of digital banks. According to this regulation, the minimum capital of digital banks should be 1 billion TL, and customers of digital banks with limited licenses can only consist of financial consumers and SMEs. If the paid-up capital of digital banks is increased to 2.5 billion TL, operating restrictions can be completely lifted or removed under an appropriate transition plan. Accordingly, the unsecured loan amount that digital banks with a limited license can offer to financial consumers is limited to four times the monthly income of the customer or 10,000 TL if the income cannot be determined.
In short, the Digital Banking Regulation encourages digital transformation in the banking sector, determining the basics for establishing new digital banks and the digitalization processes of existing banks.
1.6. Service Model Banking
With the aforementioned Digital Banking Regulation, the principles of service model banking are also determined. Service model banking involves third-party institutions (interface providers) offering banking services via mobile applications or online using the infrastructure of a bank (service bank). In this model, interface providers must be resident in the country and cannot give the impression that they operate like a bank or payment service provider. The service bank has the authority to decide on the banking services that interface providers can offer and is jointly responsible with the interface providers in terms of security measures. Regulations related to service model banking specify the restrictions and prerequisites for banks obtaining support services and the conditions to be sought in the support service institution.
1.7. Financing Company
In fact, the principles regarding the establishment and operation permissions of financing companies were determined with the Financial Leasing, Factoring, Financing, and Savings Financing Companies Law No. 6361 published on December 13, 2012. However, with an update introduced on April 15, 2022, it was regulated that Fintech companies could operate with the "Buy Now Pay Later" business model by obtaining a financing company license.
The Crowdfunding Communique (“Communique”) regulated by the Capital Markets Board (“CMB”) sets the procedures and principles for equity-based and debt-based crowdfunding. Platforms have to get permission from CMB and have to reapply within 6 months after getting the permission to be listed. According to the Communique, the platform's board of directors must establish an "Investment Committee" with at least three members. Moreover, startups can raise funds a maximum of two times within a 12-month period. The fund amount they can raise is limited to 45 million TL. This amount is updated by CMB every year.
For funds obtained through equity-based crowdfunding that exceed 3 million TL, at least 5% must be provided by qualified investors. This amount is updated annually by the CMB. Non-qualified individual investors can invest a maximum of 150,000 TL in one year, and depending on their annual net income, the investment amount is limited to 600,000 TL. In debt-based crowdfunding, non-qualified individual investors are allowed to invest a maximum of 60,000 TL in one project. These amounts are also updated annually by the CMB. Funding platforms are required to publish the targeted and collected amounts, the number of investors, and the remaining time in real-time on their websites, and they must announce the results on the next business day after the funding ends.
In conclusion, Fintech applications should pay attention to whether or not they fall within the regulatory boundaries set by the CMB. It should be kept in mind that the CMB will apply all necessary administrative and penal measures regarding activities to be carried out without permission under the name of crowdfunding. Additionally, investors should not give credence to potential crypto asset sales that might be conducted under the guise of crowdfunding.
1.9. 1.1. Financial Courts
On November 30, 2021, in accordance with the decisions of the Judges and Prosecutors Board, 6 specialized courts were established that cover finance, Fintech, and IT matters. It was decided that these courts would handle cases arising under the Law No. 6493 in the field of Fintech.
1.10. 1.2. Remote Customer Acquisition
Remote customer acquisition eliminates the need to be physically together, allowing identity verification and contract processes to be carried out through electronic communication devices and in the digital environment. Legally, for a contractual relationship to be established and completed, the contract text must be sent to the customer in the digital environment, and the customer's consent must be obtained. During this process, it is essential to comply with appropriate legal regulations and data protection principles to verify and ensure the identity and security of the customer. It is observed that regulations related to remote customer acquisition increased after 2021. The regulations made in this field can be listed as follows:
By the Central Bank of Turkey (CBRT);
• Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers
• Communique on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services
By the Banking Regulation and Supervision Agency (BRSA);
• Regulation on Remote Identification Methods to be Used by Banks and Establishing a Contractual Relationship in Electronic Environment
• Regulation on Remote Identification Methods to be Used by Financial Leasing, Factoring, Financing and Savings Finance Companies and Establishing a Contractual Relationship in the Electronic Environment
By the Capital Markets Board (CMB);
• Communique on Remote Identification Methods to be Used by Brokerage Houses and Portfolio Management Companies and Establishing a Contractual Relationship in the Electronic Environment
1.11. Prevention of Money Laundering and Financing of Terrorism
In Turkey, there are two important laws regarding the prevention of money laundering: Law No. 5549 on the Prevention of Laundering of Crime Revenues and Law No. 6415 on the Prevention of Financing of Terrorism.
The authority of Financial Crimes Investigation Board (“MASAK”) in the areas of money laundering and financing of terrorism was expanded. Accordingly, duties were given to the MASAK Presidency to collect data, analyze and evaluate suspicious transaction reports within the scope of preventing money laundering and financing of terrorism. Additionally, it was made mandatory to report transactions to MASAK in cases where there is any information, suspicion, or matter that would suggest the assets in question were obtained or used through illegal means.
As of May 1, 2021, crypto asset service providers were included in the scope of institutions subject to MASAK obligations. According to the Guide published by MASAK concerning the regulation, crypto asset service providers are defined as institutions that mediate the purchase and sale of crypto assets through electronic transaction platforms.
Also, by MASAK, it is specified which data should be provided by the sender and recipient in electronic money transfers and the measures to be taken for the identification of the parties. Companies are obliged to take the necessary precautions in terms of internal audit, control, and risk management within the scope of MASAK regulations.