General climate and trends
General innovation climate
What is the general state of fintech innovation in your jurisdiction, including any notable trends, innovations, innovators and future prospects?
The payment system environment and digital banking have been developing continuously, as shown by:
- the enactment of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law 6493) in 2013;
- the coming into force of the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions (the Payment Services Regulation) in 2014; and
- the publication, also in 2014, of the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions (the PSP Communiqué).
The most innovative areas of the Turkish fintech ecosystem are back-office operations, digital banking, e-commerce, identity management, payment and insurance. Accordingly, the most fintech-friendly sectors are the financial industry, the e-commerce sector, as well as fast-moving consumer goods and real estate, among others.
According to a recently published report by market intelligence company startups.watch, fintech companies attract the most investments among Turkish start-ups and the industry is in the top tier for investments in European, Middle Eastern and North African start-ups for the early part of 2017. Investments in early 2017 have increased by 102 % compared to the same period in 2016, and there were nine investors in 2017, compared with six in 2006. The report also states that start-ups established in Turkey and Turkish start-ups established abroad have attracted similar investment amounts. This means that investors place the same importance on the fintech sector in Turkey as they do on Turkish fintech start-ups established abroad.
At the time of writing (January 2017), some 29 payment institutions and 10 e-money institutions were conducting business activities under the authority of Turkey’s Banking Regulation and Supervision Agency. In addition, six payment systems operated under a licence from the Central Bank of the Republic of Turkey.
Widespread internet access facilities and high penetration of mobile device usage in Turkey also contribute to boosting the fintech sector investments.
Lastly, Islamic fintech players have started to provide payment services on an interest-free basis.
Have there been any particular developments – regulatory or commercial – in any of the following fintech sectors?
Distributed ledger technology and digital currencies (eg, blockchain, smart contracts and Bitcoin)?
There are no particular legal developments regarding either distributed ledger technologies or digital currencies. However, the Banking Regulation and Supervision Agency announced on November 25 2013 that digital currencies such as Bitcoin cannot be considered as e-money under Turkish legislation because, unlike e-money, these currencies are not issued by an official or a private entity, and Bitcoin operates in an unregulated framework. According to the agency, Bitcoin has the potential to be involved in money laundering; it is impossible to track the identities of the parties to Bitcoin transactions and Bitcoin’s variable market price makes Bitcoin and other similar cryptocurrencies unreliable. Following the agency’s announcement, the Central Bank issued a statement discussing which three possible terms could apply to Bitcoin – namely, ‘money’, ‘commodity’ or ‘security’. The Central Bank and the Turkish Capital Market Board tend to accept crypto-currencies as ‘commodities’. If so, digital currency miners, users and trading platforms will be subject to the taxation of cryptocurrencies.
Alternative lending platforms?
Under the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions , payment and e-money institutions cannot engage in loan-granting activities.
Digital payments, remittances and foreign exchange?
Under the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions , payment services are listed numerus clauses. These services include:
- all the transactions required for operating a payment account, including the services enabling cash to be placed on and withdrawn from a payment account;
- issuing or acquiring payment instruments; and
- money remittance.
The law also provides that cash-to-cash foreign exchange operations, where the funds are not held on a payment account, do not amount to a payment service.
On September 7 2017 the Turkish Competition Authority issued its first fintech decision (Decision 17-28/462-201), cancelling the individual exemptions granted to the transactions concluded between banks and payment service providers on the ground that the provisions of these transactions restrict the competition in the contracted merchant market, which should be open to the payment service providers since they conduct activities similar to those of banks. The authors acted for the claimant in this case.
Alternative financing (including crowdfunding)?
In Turkey, fintech businesses are commonly financed through equity or debt financing. Equity financing, such as venture capital, corporate venture capital, private equity and/or business angels, are the most favoured financing model for fintech start-ups in Turkey. The Regulation on Individual Participation Capital sets forth special provisions for business angels. Articles 48 and 49 of Law 6362 on the Capital Markets and the Communiqué on Principles of Venture Capital and Private Equity Investment Companies (III-48.3) provide details rules on venture capital and private equity.
Crowdfunding, a more recent financing model, is governed by Law 6362 through to Law 7061 on the Amendments on Certain Tax Law and Other Regulations, enacted on December 5 2017. The new statutes define ‘crowdfunding’ as “fundraising through funding platforms in an attempt to provide a project or entrepreneurs with the required funding within the principles set forth by the Board, without being subject to provisions related to investor compensating of the Law”. The Capital Market Board is authorised to enact secondary legislation relating to crowdfunding.
In terms of debt financing, fintech companies have to apply to a bank to raise a bank loan. Various types of bank loan exist, although none is specific to the fintech sector. They are generally available to companies or investors in all sectors. State subsidies provided by public funds and non-governmental organisations are another option for supporting start-ups; again, these are not specific to the fintech sector. One of the start-ups’ supporter is the Small and Medium Enterprises Development Organisation of Turkey.
Investment, asset and wealth management?
There are over 200 fintech businesses in Turkey. According to a recently published report by market intelligence company startups.watch, fintech companies attract the most investments among Turkish start-ups and the industry is in the top tier for investments in European, Middle Eastern and North African start-ups for the early part of 2017. Investments in early 2017 have increased by 102 % compared to the same period in 2016, and there were nine investors in 2017, compared with six in 2006. The report also states that start-ups established in Turkey and Turkish start-ups established abroad have attracted similar investment amounts. This means that investors place the same importance on the fintech sector in Turkey as they do on Turkish fintech start-ups established abroad.
The high number of internet access facilities and the rapid increase in use of mobile devices in Turkey also explain the high levels of investments in the fintech industry in Turkey.
The industry now also includes Islamic players, which provide their payment services on an interest-free basis.
Robo-advice and artificial intelligence?
No specific legislation exists for robo-advice and artificial intelligence. However, the legal personality and responsibility of the robots are hotly debated topics among Turkish academics.
Any other technologies?
The Communiqué on Safety Stamp in E-Commerce enacted in June 2017 determines the procedures and principles of safety stamp to be used in e-commerce, and includes provisions regarding safety and service quality standards. Service providers and intermediary service providers can use a safety stamp (ie, an electronic mark) to gain the trust and ensure the safety to their consumers. These providers should also comply with the minimum requirements of the standards of safety and service quality.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Although the Turkish fintech sector is developing, and trade and investment relating to the sector are increasing day by day, much remains to accomplish to compete with the fintech sector of other countries, in particular in the European Union. Thus, while the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions enacted in 2013 essentially transposed the first EU Payment Services Directive (2007/64/EC), the Turkish legislature needs to relax some of rules that apply to fintech businesses to make the sector more competitive; the next step will accordingly be to bring national legislation into line with the second Payment Services Directive ((EU) 2015/2366).
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions Law sets forth the provisions regarding the activities and licensing of the payment systems, electronic money institutions and payment institutions in Turkey. In order to execute the payment services and/or e-money services under this law and, accordingly, obtain the service-related licence, fintech companies must apply to the Banking Regulation and Supervision Agency. In order to run operations as payment systems, fintech companies must apply to the Central Bank to get the relevant licence. The Banking Regulation and Supervision Agency has issued secondary legislation relating to this law: the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions (the PSP Regulation) and the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions (the PSP Communiqué); both came into force in June 2014. The other fintech-specific regulations are:
- the Regulation on the Activities of Payment and Security Reconciliation Systems;
- the Regulation on Supervision of Payment and Security Reconciliation Systems (both of which came into force in June 2014); and
- the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions.
Which government authorities regulate the provision of fintech products and services?
The Central Bank and the Banking Regulation and Supervision Agency are the main authorities regulating fintech products and services in Turkey. The Turkish Competition Authority can also rule on competition issues in the fintech sector as an ex post regulatory authority. The Turkish Financial Crimes Investigation Board is also a leading institution taking actions against money laundering proceedings for crime and terrorist financing.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
In addition to the fintech-related regulations listed in the section titled “Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?”, the main other laws and regulations governing the provision of financial services applying to fintech businesses are:
- Law 5464 on Debit Cards and Credit Cards;
- Law 5411 on Banking;
- Law 6362 on the Capital Markets;
- Law 5549 on the Prevention of Laundering Proceeds of Crime; and
- Turkish Criminal Code 5237
Legislation on terrorist financing may also apply in some circumstances, such as Law 6415 on the Prevention of the Financing of Terrorism and the Anti-terror Law 3713 (amended by Law 5532). Some secondary regulations may also apply to fintech businesses, such as:
- the Regulation on the Procedures and Principles Regarding the Implementation of Law on the Prevention of the Financing of Terrorism;
- the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions;
- the Regulation on Debit Cards and Credit Cards;
- the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions; and
- the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Companies that conduct payment services or e-money services under of Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law 6493)are considered payment service providers. Therefore, they must obtain e-money or payment service activity licences. In other words, they must not only fulfil the requirements set forth under Law 6493, but also obtain a relevant licence from the Banking Regulation and Supervision Agency. System operators are subject to special requirements to become eligible to apply to the Central Bank for a system operator licence.
Some common requirements for payment service providers are as follows:
- They must set up a joint-stock company;
- Shareholders with 10% or more of the shares in an e-money institution’s capital and control must meet the bank founders’ eligibility criteria as set forth in the Banking Law; and
- Its paid-up capital, consisting of cash and free of all kinds of fictitious transaction, should not be less than TL5 million.
Companies that conclude transactions and conduct services determined under Law 6493are not considered payment services institutions; accordingly, they do not need a licence. Some of these transactions and services are as follows:
- payment transactions made in cash directly from the payer to the payee, without any intermediary intervention;
- payment transactions consisting of cash collection and delivery within the framework of a non-profit or charitable activity; and
- cash-to-cash foreign exchange operations, where the funds are not held on a payment account.
Lastly, fintech companies are not subject to the e-money activity licence if their payment transactions are conducted through pre-paid means and carried out through their own store networks, or for sales of particular goods or services, or for a particular agreement within a certain service network. Law 6493foresees further exemptions for payment institutions as well.
Are any fintech products or services prohibited in your jurisdiction?
The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions precludes payment and e-money institutions from engaging in loan-granting activities; consequently, these institutions cannot make instalment plans for the amounts for which they provide payment services.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
General and special regulations govern the processing and transfer (domestically and cross-border) of data through fintech products and services. The Protection of Personal Data Law (6698) is the main framework for personal data protection in Turkey. Thus, personal data in fintech products and services must be processed and transferred (domestically and cross-border) in compliance with, firstly, the Protection of Personal Data Law. Under this law, personal data can be neither processed nor transferred without the explicit consent of the data subject. Exemptions and other requirements exist. For instance, an adequate level of protection of the relevant foreign country where the data will be sent must be provided if explicit consent is not needed.
In addition to personal data processing responsibilities, fintech companies must establish and manage the data filing system and be registered with the Data Registry Office (VERBIS System), which will be set up soon. The Personal Data Protection Authority can investigate or audit the processing of personal data by fintech products and services.
Beside the general Protection of Personal Data Law, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and the PSP Communiqué set out the procedures for data processing and transferring for fintech companies specifically. These regulations state that system operators and payment and electronic money institutions must keep the documents and records required by these regulations for at least 10 years on a safe server located in Turkey. System operators must keep the information system with their backups in Turkey as well. Moreover, processing, storing or transferring personal information or sensitive payment data such as PIN (ie, personal identification number), card number and CVV2/CVC2 (ie, card verification value – the last three digits in the signature space on the back of bank cards) are possible only if the outsourced cloud services use particular hardware and software sources dedicated to the relevant institution. Fintech companies found to be in breach of these provisions can be sentenced to up to three years’ imprisonment and a judicial fine of between 500 days and 1,500 days (multiplied by a fixed amount).
In order to prevent discrepancies, system operators and payment service providers should use personal information only after taking the necessary precautions for protecting such data.
What cybersecurity regulations or standards apply to fintech businesses?
The Protection of Personal Data Law also applies to personal data in cybersecurity matters. Under the law, fintech companies must prevent the unlawful processing of personal data and unlawful access to personal data, and provide safeguards for personal data. In addition, fintech companies should take into account certain decisions of the Banking Regulation and Supervision Agency concerning standards for cybersecurity. That said, the specific legislation concerning data cybersecurity are the PSP Communiqué and the Regulation on Supervision of Banking and Bank Information System Proceedings to Be Conducted by the Independent Audit Institutions, which set forth the procedures and basic principles that service providers should put in place.
Lastly, many payment service providers adopt the Payment Card Industry Data Security Standard in order to ensure the data security for their businesses and to comply with EU requirements.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
The main regulations governing fintech products and services are:
- the Law on Debit Cards and Credit Cards 5464;
- the Banking Law 5411;
- the Capital Markets Law 6362;
- the Law on Prevention of Laundering Proceeds of Crime 5549;
- the Turkish Criminal Code 5237;
- the Regulation on the Procedures and Principles Regarding the Implementation of Law on the Prevention of the Financing of Terrorism; and
- the Regulation on Debit Cards and Credit Cards.
In addition, the main anti-money laundering regulations, which also apply, are:
- the Law on Prevention of Laundering Proceeds of Crime Proceeds of Crime 5549, as amended on April 26 2016;
- the Law on the Prevention of the Financing of Terrorism 6415; and
- the Anti-terror Law 3713, as amended by Law 5532.
What precautions should fintech businesses take to ensure compliance with these provisions?
The Regulation on a Programme of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism also applies to fintech companies. This regulation sets forth the principles and the procedures regarding the establishment of compliance programmes and assignment of compliance officers by parties subject to the regulation for the purpose of preventing money laundering and financing terrorism. According to this regulation, all payment service providers should have a compliance programme.
The compliance programme includes:
- institutional policy and procedures;
- risk management activities;
- monitoring and controlling activities;
- a compliance officer and a compliance unit;
- training activities; and
- internal control activities.
Risk management, monitoring and controlling activities under the scope of the compliance programme shall be fulfilled by the compliance officer under the observation, supervision and responsibility of the executive board.
Internal control activities under the scope of the compliance programme shall be carried out by internal control units or board of inspectors of obliged parties.
Payment service providers are obliged to assign compliance officer within 30 days of their obtaining their licence.
What consumer protection laws and regulations apply to the provision of fintech products and services?
There is no special legal regulation applicable to fintech products or services in terms of consumer protection. However, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions brings many formal requirements concerning the agreements that fintech companies must enter into to protect the consumers. In addition, when it is deemed necessary in terms of the consumer’s rights, the Banking Regulation and Supervision Agency may terminate the agreement between consumer and payment service provider.
The Regulation on Procedures and Basic Principles Regarding the Fees to Be Collected from the Financial Consumers is prepared by the Banking Regulation and Supervision Agency to determine any kind of fees, commission and expenses of the goods and services to be provided to the financial consumers. However, this regulation is applicable only to the financial institutions that are allowed to issue cards or grant consumer loans.
Lastly, the Consumer Protection Law 6502 is also applicable as a general regulation to the provision of fintech products and services.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
The provision of fintech products or services currently raises no particular competition regulatory concern in Turkey.
However, a specific securities settlement system provider – namely, Bankalararası Kart Merkezi AŞ (BKM) – is licensed by the Central Bank to operate payment systems pertaining to debit and credit cards, and provides a domestic clearing and settlement system. The interbank clearing of the debts and credits of the card holders arising from their purchases is carried out within BKM’s structure through the domestic clearing and settlement of debit and credit card transactions. One of BKM’s main activities is to carry out the authorisation operation between the banks, developing the procedures applicable to the banks in the credit card and debit card sector, including determining the credit card exchange commission rates. Since BKM has the power to determine these commission rates, the Turkish Competition Authority has granted individual exemptions to BKM’s activities.
Lastly, in a recent decision (17-28/462-201 and dated September 7 2017), the Turkish Competition Authority ordered the cancellation of the individual exemptions granted to the transactions concluded between banks and payment service providers on the ground that the provisions of these transactions restrict the competition in the contracted merchant market, which should be open to the payment service providers since they conduct activities similar to those of banks. The authors were the claimant’s legal counsel of this case.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
All fintech companies that wish to operate in payment services, e-money, insurance, digital banking and payment system operations in Turkey must be licensed by the Banking Regulatory Supervision Authority, the Central Bank or relevant authorities supervising the sectors.
In addition to a licence, these companies must comply with applicable laws and regulations. Companies wishing to enter the fintech field in Turkey should seek advice as to whether their chosen activity is regulated.
Financing, investment and government support
Does the government provide any incentives or support programmes to promote fintech innovation in your jurisdiction (eg, tax incentives, grants and regulatory sandboxes)?
Yes, the Turkish government provides some incentives and support programmes to promote fintech innovation. The main ones are outlined below:
- Law 4691 on Technology Development Zones – under this law, fintech companies located in techno parks can benefit from numerous tax incentives including exemption of corporate tax, income tax and value added tax. In addition, fintech companies that are essentially research and development companies may deduct 50% of the social security premium exemption for their employees for a period of five years.
- the Regulation on Individual Participation Capital – under this regulation 75% of the value of the participation shares of fintech companies established under Turkish law or held by business angels/individual investors can be deducted from the individual investors/business angel’s income tax for the next tax year.
- Decree 2012/3305 of the Turkish Counsel of Minister – this decree sets forth the procedures of general investment incentive systems. Communiqué 2012/1 of the Turkish Ministry of Economy (amended by Communiqué 2017/1) provides further details. These investment incentives are explained in the section below titled “Financing and investment”.
- the 10th Development Plan of the Ministry of Development – the plan provides that payment systems will be strengthened in line with technological developments and needs in the country. Moreover, investment into fintech companies will be increasingly supported by Stock Exchange Istanbul or by the Turkish government to make Turkey a regional investment hub in the fintech sector.
Has the government concluded any international cooperation agreements to promote and facilitate the cross-border expansion of fintech businesses?
The government has not concluded any international cooperation agreements yet; however, in practice the main payment service providers have been trying to take steps in the direction of cross-border expansion of fintech businesses. For example, the company behind the Turkish payment method TROY signed a successful cooperation agreement with a global institution in December 2017. Under this agreement, TROY has become valid worldwide and the TROY logo will be used for international transactions.
Financing and investment
What private financing and investment schemes are available and commonly used for fintech start-ups in your jurisdiction?
There are no specific private financing and investment schemes for fintech businesses in Turkey. However, five different general investment incentive schemes are detailed in Communiqué 2012/1 of the Turkish Ministry of Economy:
- the General Investment Incentive Scheme;
- the Regional Investment Incentive Scheme;
- the Priority Investment Incentive Scheme;
- the Large Scale Investment Incentive Scheme; and
- the Strategic Investment Incentive Scheme.
According to these schemes, several different support measures can be provided such as value added tax exemption, custom duty exemption and tax deduction.
What forms of IP protection are available for fintech innovations?
There is no specific provision on IP protection relating to fintech innovations. That said, IP and industrial property rights are protected respectively by Law 5846 on Intellectual and Artistic Work and Law 6769 on Industrial Property Law. If the fintech products or services are subject to industrial property rights (ie, trademark or patent), a patent or trademark registration is required before the Turkish Patent and Trademark Office. By contrast, there is no registration requirement in terms of IP rights.
What rules govern the ownership of IP rights to fintech innovations?
According to Law 5846 on Intellectual and Artistic Work, ownership of fintech innovations will belong to the first creator, who will be deemed as the author. Intellectual property created by an employee during an employment contract will be owned by the employer, who will be considered the author. The duration of the IP right is the life of the author plus 70 years following his or her death.
What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the tech or financial sector?
There is no specific immigration scheme for fintech businesses to recruit staff from abroad. That said, several laws and regulations exist concerning immigration schemes to recruit skilled staff from abroad. The main regulations are:
- the Law on Foreigners and International Protection;
- the International Labour Law;
- the Law on Work Permit for Foreigners 4817; and
- the Law on Residence and Travel of Foreigners in Turkey.
What immigration schemes are available for foreign investors and entrepreneurs wishing to invest in or establish a fintech business in your jurisdiction?
The Law on Direct Foreign Investments 4875 and its secondary regulations, along with the Law on Work Permit for Foreigners 4817, are the main regulations for foreign investors and entrepreneurs willing to invest in the fintech sector or establish a fintech business. These regulations do not provide for specific immigration schemes for foreign investors and entrepreneurs of fintech business. Therefore, these investors and entrepreneurs will be subject to the general immigration schemes regulated in the aforementioned laws.