The regulation and communiqué published in the Official Gazette dated October 7, 2023, issued by the Central Bank of the Republic of Turkey (“T.C.M.B.” or “Bank”), introduced amendments to the “Regulation on Payment Services and Electronic Money Issuance, and Payment Service Providers” and the “Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services.” These changes introduce significant regulations regarding the use of financial technologies brought to everyday life by organizations operating in the fintech sector, payment service providers, institutions issuing electronic money (“Institution”), and the users of payment services. For example, the ‘Digital Wallet’ (or Virtual Wallet or Electronic Account Wallet), widely recognized as a next-generation payment method, is defined for the first time in Turkish legislation as a result of these amendments. We will explain the main changes brought by the new legislation in this article.
DIGITAL WALLET WAS DEFINED FOR THE FIRST TIME IN THE LEGISLATION, AND THE INDIVIDUALS AUTHORIZED TO PROVIDE THIS SERVICE WERE RESTRICTED.
In the regulation, the Digital Wallet is defined as an electronic device, online service, or application where the customer’s specified payment account or payment instrument information is stored, and which enables the customer to make payments using the information they have provided.
Payment service institutions can offer digital wallet services, but they must have the authority to issue payment instruments for this purpose. Similarly, if the digital wallet is intended to be used as a direct payment instrument in businesses, it is mandatory for the financial institution to have the authorization to issue electronic money. Only services provided by entities storing sensitive customer data on behalf of payment service providers, provided that they comply with the provisions of the regulation, will not be considered within the scope of digital wallet services.
Individuals who were providing digital wallet services before October 7, 2023, and could potentially be categorized as payment institutions or electronic money institutions established under the Law, but do not have operating permits, must apply to the Central Bank within one year, until October 7, 2024, to obtain the necessary permissions. All institutions are required to comply with the new regulations introduced by October 7, 2024.
IN CERTAIN CASES, THE PAYMENT INSTITUTION WILL NOT BE REQUIRED TO OBTAIN CUSTOMER APPROVAL TO PROVIDE ADDITIONAL SERVICES
If it is deemed necessary for the development of the payment industry by the TCMB, in the additional payment services determined by the Bank, the requirement for ‘customer approval and request’ will not be applicable for the provision of these services. However, it is a prerequisite that there is already a contract between the customer and the institution from which the customer receives payment services regarding another payment service. Even in this case, necessary information must be provided to the customer before the provision of additional payment services begins, and if the customer indicates that they do not want the additional payment service, it should not be provided.
CHANGES REGARDING THE APPLICATION PROCESSES TO THE CENTRAL BANK FOR OPERATING PERMIT CERTIFICATE AND APPROVAL OF SHARE TRANSFERS
In permit applications to the Central Bank for operating as a payment service provider or electronic money institution, additional documents have been included among the required paperwork. These include undertakings stating that the qualified shareholders and shareholders holding control of the company’s capital are self-funded and have been provided in cash and deposited without any collusion, along with bankruptcy concordat documents obtained from the relevant trade registry office for these individuals and the companies in which they directly own at least 33%, as well as documents related to their Findeks credit ratings. Additionally, specific timelines that should be followed by the institutions, on applications to be made to Central Bank including the operating permit certificate and approvals for share transfers have been updated.
Additionally, acquisitions and transfers of shares among companies belonging to the same group that do not result in any change in the ownership percentage of the ultimate shareholders, whether directly or indirectly, within the Institution, are no longer subject to TCMB approval. However, in any case, these share transfers must be reported to the Central Bank within 10 (ten) business days after being learned by the institution.
EXPANSION OF THE AREAS ALLOWED FOR PAYMENT INSTITUTIONS TO OPERATE
In the financial technology sector, companies operating as electronic money and payment service providers are generally prohibited from offering services outside their designated services under the Law. However, exceptions, such as providing education and consultancy services related to the main services of the Institution, are allowed under the regulations. With these changes, the exceptions have been expanded. The new regulations have added ancillary services that can increase the use of the Institution’s payment services, such as marketing and directing users to the systems of the relevant financial institution, value-added services for legal entities, provision of qualified services for individuals, and intermediation in transactions related to the buying and selling of precious metals and gemstones, to the list of exceptions.
THE NUMBER OF CRITERIA TO BE CONSIDERED IN DETERMINING THE COLLATERAL AMOUNT TO BE HELD BY THE BANK FOR THE INSTITUTION HAS BEEN REDUCED
As known, to ensure the compensation of the rights of fund owners and the fulfillment of the obligations arising from the Law, institutions are required to hold a certain amount of collateral at the TCMB. The provision specifying the criteria for determining the amount of this collateral has been amended by the Central Bank, reducing the essential criteria to two down from seven:
- No administrative fines should have been applied to the Institution within the scope of the Law.
- The percentage of complaints and objections against the institution resulting in favor of the complainant in the Union’s (The Payment and Electronic Money Institutions Association of Türkiye) arbitration committees should not exceeds ten percent of the total applications related to the institution
EXPLANATORY REGULATIONS REGARDING PAYMENT ORDERS FOR THOSE OPERATING IN OPEN BANKING
The amendment in the regulation emphasizes that for a payment transaction to be considered as an “initiation service for payment orders”, the initiator of the payment transaction must utilize another payment service provider apart from the payment service provider where the payment transaction will be executed. For payment transactions initiated via the payee, if the senders do not use another service provider apart from the service provider where their payment account is held, these transactions will not be considered as an initiation service.
MONETARY RANGE SET FOR ANONYMOUS PREPAID INSTRUMENTS
With the amendment made within the scope of the communiqué to the definition of anonymous prepaid instruments, these instruments are defined as payments and loads that fall within the monetary limits specified in the first paragraph of Article 2.2.9 and the first paragraph of Article 2.2.11 of the General Communiqué on the Prevention of Money Laundering published in the Official Gazette dated 9/4/2008 and numbered 26842 (Serial No: 5).”
NEW REGULATIONS ON AUDIT TRAIL RECORD SYSTEMS
Institutions will establish an audit trail record system that enables tracking of physical or logical accesses to customer information and information systems, unauthorized access attempts, and transactions related to activities within the scope of the Law. With the changes made in the Regulation, this system should now include the time and source, as well as the target port and IP information of the access or transaction.
In case the record system stops due to any reason, the audit trials of the transactions that occurred until the system is operational again should be securely stored and recorded in the system after it is reactivated to maintain security and integrity. If transactions continue to occur despite the system being down, the Institution will be responsible for proving that the transactions were carried out in compliance with legal provisions by authorized individuals. Additionally, in case any party incurs damages due to these transactions, the Institution is now obligated to compensate for the losses suffered by the parties.
CHANGES MADE TO THE CONDITIONS REGARDING CLOUD SERVICES
When Institutions wish to outsource sensitive customer data, competition-sensitive data, and personal data through cloud services, the external service providers must be approved by the Central Bank. However, with the new changes introduced, it is emphasized that maximum care must be taken for the products and services to be obtained within the scope of critical information systems and security, and they should either be produced in Turkey or their research and development centers should be located in Turkey. This requirement will be considered a significant criterion in the outsourcing of services. Additionally, it is mandatory for such providers and manufacturers to have intervention teams in Turkey. The Central Bank will also have the authority to set additional requirements for the security products and other information technology elements used by Institutions.
REGULATION ON THE TRANSFER OF DATA ABROAD
Institutions are required to keep their primary and secondary systems as well as data backup centers within Turkey. However, in cases where one of the parties involved in the payment transaction (either the Institution or its service provider) is located abroad, the Institution can share the necessary data, limited to what is required for the smooth execution of the payment transaction, while ensuring that the data continues to be stored within the country. This sharing is subject to customer requests or instructions related to the payment transaction and in compliance with the principle of proportionality and the obligations specified in Article 9 of Law No. 6698. However, if the Central Bank determines, based on its evaluation, that it would negatively impact the development of the payments industry, it has the authority to halt these sharing activities or impose additional restrictions on them.
REGULATIONS REGARDING PROCESSES CONDUCTED THROUGH REMOTE COMMUNICATION TOOLS
In the processes of identity verification and contract establishment conducted by the Institution through remote communication tools, changes have been made in the procedures and principles related to authentication methods and control mechanisms. The regulations outline the technical actions to be taken when conducting a live test using online real-time video, online real-time moving photos, or online video calls, and when capturing the person’s face and the area near the identity document through close-range communication in remote identity verification processes. It is useful to remember that the guides and decisions published by the Turkish Personal Data Protection Authority (“KVKK”) also play an important role in remote communication processes as they specify the aspects to be considered during the processing of biometric data.
Attorney Burcu Gür