Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Although the Turkish fintech sector is developing, and trade and investment relating to the sector are increasing day by day, much remains to accomplish to compete with the fintech sector of other countries, in particular in the European Union. Thus, while the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions enacted in 2013 essentially transposed the first EU Payment Services Directive (2007/64/EC), the Turkish legislature needs to relax some of rules that apply to fintech businesses to make the sector more competitive; the next step will accordingly be to bring national legislation into line with the second Payment Services Directive ((EU) 2015/2366).
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions Law sets forth the provisions regarding the activities and licensing of the payment systems, electronic money institutions and payment institutions in Turkey. In order to execute the payment services and/or e-money services under this law and, accordingly, obtain the service-related licence, fintech companies must apply to the Banking Regulation and Supervision Agency. In order to run operations as payment systems, fintech companies must apply to the Central Bank to get the relevant licence. The Banking Regulation and Supervision Agency has issued secondary legislation relating to this law: the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions (the PSP Regulation) and the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions (the PSP Communiqué); both came into force in June 2014. The other fintech-specific regulations are:
- the Regulation on the Activities of Payment and Security Reconciliation Systems;
- the Regulation on Supervision of Payment and Security Reconciliation Systems (both of which came into force in June 2014); and
- the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions.
Which government authorities regulate the provision of fintech products and services?
The Central Bank and the Banking Regulation and Supervision Agency are the main authorities regulating fintech products and services in Turkey. The Turkish Competition Authority can also rule on competition issues in the fintech sector as an ex post regulatory authority. The Turkish Financial Crimes Investigation Board is also a leading institution taking actions against money laundering proceedings for crime and terrorist financing.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
In addition to the fintech-related regulations listed in the section titled “Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?”, the main other laws and regulations governing the provision of financial services applying to fintech businesses are:
- Law 5464 on Debit Cards and Credit Cards;
- Law 5411 on Banking;
- Law 6362 on the Capital Markets;
- Law 5549 on the Prevention of Laundering Proceeds of Crime; and
- Turkish Criminal Code 5237
Legislation on terrorist financing may also apply in some circumstances, such as Law 6415 on the Prevention of the Financing of Terrorism and the Anti-terror Law 3713 (amended by Law 5532). Some secondary regulations may also apply to fintech businesses, such as:
- the Regulation on the Procedures and Principles Regarding the Implementation of Law on the Prevention of the Financing of Terrorism;
- the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions;
- the Regulation on Debit Cards and Credit Cards;
- the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions; and
- the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Companies that conduct payment services or e-money services under of Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law 6493)are considered payment service providers. Therefore, they must obtain e-money or payment service activity licences. In other words, they must not only fulfil the requirements set forth under Law 6493, but also obtain a relevant licence from the Banking Regulation and Supervision Agency. System operators are subject to special requirements to become eligible to apply to the Central Bank for a system operator licence.
Some common requirements for payment service providers are as follows:
- They must set up a joint-stock company;
- Shareholders with 10% or more of the shares in an e-money institution’s capital and control must meet the bank founders’ eligibility criteria as set forth in the Banking Law; and
- Its paid-up capital, consisting of cash and free of all kinds of fictitious transaction, should not be less than TL5 million.
Companies that conclude transactions and conduct services determined under Law 6493are not considered payment services institutions; accordingly, they do not need a licence. Some of these transactions and services are as follows:
- payment transactions made in cash directly from the payer to the payee, without any intermediary intervention;
- payment transactions consisting of cash collection and delivery within the framework of a non-profit or charitable activity; and
- cash-to-cash foreign exchange operations, where the funds are not held on a payment account.
Lastly, fintech companies are not subject to the e-money activity licence if their payment transactions are conducted through pre-paid means and carried out through their own store networks, or for sales of particular goods or services, or for a particular agreement within a certain service network. Law 6493foresees further exemptions for payment institutions as well.
Are any fintech products or services prohibited in your jurisdiction?
The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions precludes payment and e-money institutions from engaging in loan-granting activities; consequently, these institutions cannot make instalment plans for the amounts for which they provide payment services.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
General and special regulations govern the processing and transfer (domestically and cross-border) of data through fintech products and services. The Protection of Personal Data Law (6698) is the main framework for personal data protection in Turkey. Thus, personal data in fintech products and services must be processed and transferred (domestically and cross-border) in compliance with, firstly, the Protection of Personal Data Law. Under this law, personal data can be neither processed nor transferred without the explicit consent of the data subject. Exemptions and other requirements exist. For instance, an adequate level of protection of the relevant foreign country where the data will be sent must be provided if explicit consent is not needed.
In addition to personal data processing responsibilities, fintech companies must establish and manage the data filing system and be registered with the Data Registry Office (VERBIS System), which will be set up soon. The Personal Data Protection Authority can investigate or audit the processing of personal data by fintech products and services.
Beside the general Protection of Personal Data Law, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and the PSP Communiqué set out the procedures for data processing and transferring for fintech companies specifically. These regulations state that system operators and payment and electronic money institutions must keep the documents and records required by these regulations for at least 10 years on a safe server located in Turkey. System operators must keep the information system with their backups in Turkey as well. Moreover, processing, storing or transferring personal information or sensitive payment data such as PIN (ie, personal identification number), card number and CVV2/CVC2 (ie, card verification value – the last three digits in the signature space on the back of bank cards) are possible only if the outsourced cloud services use particular hardware and software sources dedicated to the relevant institution. Fintech companies found to be in breach of these provisions can be sentenced to up to three years’ imprisonment and a judicial fine of between 500 days and 1,500 days (multiplied by a fixed amount).
In order to prevent discrepancies, system operators and payment service providers should use personal information only after taking the necessary precautions for protecting such data.
What cybersecurity regulations or standards apply to fintech businesses?
The Protection of Personal Data Law also applies to personal data in cybersecurity matters. Under the law, fintech companies must prevent the unlawful processing of personal data and unlawful access to personal data, and provide safeguards for personal data. In addition, fintech companies should take into account certain decisions of the Banking Regulation and Supervision Agency concerning standards for cybersecurity. That said, the specific legislation concerning data cybersecurity are the PSP Communiqué and the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions, which set forth the procedures and basic principles that service providers should put in place.
Lastly, many payment service providers adopt the Payment Card Industry Data Security Standard in order to ensure the data security for their businesses and to comply with EU requirements.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
The main regulations governing fintech products and services are:
- the Law on Debit Cards and Credit Cards 5464;
- the Banking Law 5411;
- the Capital Markets Law 6362;
- the Law on Prevention of Laundering Proceeds of Crime 5549;
- the Turkish Criminal Code 5237;
- the Regulation on the Procedures and Principles Regarding the Implementation of Law on the Prevention of the Financing of Terrorism; and
- the Regulation on Debit Cards and Credit Cards.
In addition, the main anti-money laundering regulations, which also apply, are:
- the Law on Prevention of Laundering Proceeds of Crime Proceeds of Crime 5549, as amended on April 26 2016;
- the Law on the Prevention of the Financing of Terrorism 6415; and
- the Anti-terror Law 3713, as amended by Law 5532.
What precautions should fintech businesses take to ensure compliance with these provisions?
The Regulation on a Programme of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism also applies to fintech companies. This regulation sets forth the principles and the procedures regarding the establishment of compliance programmes and assignment of compliance officers by parties subject to the regulation for the purpose of preventing money laundering and financing terrorism. According to this regulation, all payment service providers should have a compliance programme.
The compliance programme includes:
- institutional policy and procedures;
- risk management activities;
- monitoring and controlling activities;
- a compliance officer and a compliance unit;
- training activities; and
- internal control activities.
Risk management, monitoring and controlling activities under the scope of the compliance programme shall be fulfilled by the compliance officer under the observation, supervision and responsibility of the executive board.
Internal control activities under the scope of the compliance programme shall be carried out by internal control units or board of inspectors of obliged parties.
Payment service providers are obliged to assign compliance officer within 30 days of their obtaining their licence.
What consumer protection laws and regulations apply to the provision of fintech products and services?
There is no special legal regulation applicable to fintech products or services in terms of consumer protection. However, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions brings many formal requirements concerning the agreements that fintech companies must enter into to protect the consumers. In addition, when it is deemed necessary in terms of the consumer’s rights, the Banking Regulation and Supervision Agency may terminate the agreement between consumer and payment service provider.
The Regulation on Procedures and Basic Principles Regarding the Fees to Be Collected from the Financial Consumers is prepared by the Banking Regulation and Supervision Agency to determine any kind of fees, commission and expenses of the goods and services to be provided to the financial consumers. However, this regulation is applicable only to the financial institutions that are allowed to issue cards or grant consumer loans.
Lastly, the Consumer Protection Law 6502 is also applicable as a general regulation to the provision of fintech products and services.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
The provision of fintech products or services currently raises no particular competition regulatory concern in Turkey.
However, a specific securities settlement system provider – namely, Bankalararası Kart Merkezi AŞ (BKM) – is licensed by the Central Bank to operate payment systems pertaining to debit and credit cards, and provides a domestic clearing and settlement system. The interbank clearing of the debts and credits of the card holders arising from their purchases is carried out within BKM’s structure through the domestic clearing and settlement of debit and credit card transactions. One of BKM’s main activities is to carry out the authorisation operation between the banks, developing the procedures applicable to the banks in the credit card and debit card sector, including determining the credit card exchange commission rates. Since BKM has the power to determine these commission rates, the Turkish Competition Authority has granted individual exemptions to BKM’s activities.
Lastly, in a recent decision (17-28/462-201 and dated September 7 2017), the Turkish Competition Authority ordered the cancellation of the individual exemptions granted to the transactions concluded between banks and payment service providers on the ground that the provisions of these transactions restrict the competition in the contracted merchant market, which should be open to the payment service providers since they conduct activities similar to those of banks. The authors were the claimant’s legal counsel of this case.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
All fintech companies that wish to operate in payment services, e-money, insurance, digital banking and payment system operations in Turkey must be licensed by the Banking Regulatory Supervision Authority, the Central Bank or relevant authorities supervising the sectors.
In addition to a licence, these companies must comply with applicable laws and regulations. Companies wishing to enter the fintech field in Turkey should seek advice as to whether their chosen activity is regulated.
Click here to view the full article.