The BRSA (Banking Regulation and Supervision Authority) has enlarged upon the service model banking ("Banking as a Service-BaaS"), which is considered the next-gen banking service model and used by banks to improve their inclusiveness by providing infrastructure to other industries.
Prepared by the BRSA to usher in the service model banking, which increases financial inclusion and functions as a lever to facilitate access to banking services, in terms of legislation in our country, "the Regulation on Operating Principles of Digital Banks and Banking as a Service" ("Regulation") was published in the Official Gazette dated 29.12.2021.
We can summarize the key details about the Regulation as follows.
How does the Regulation define Banking as a Service?
Excluding the open banking services in the payments industry, the parties of the business model for the Banking as a Service (BaaS) model, where banks share both their data and services with third parties via API and similar methods, are defined in the Regulation as follows;
· The service bank is "the bank that provides service model banking services",
· Interface developers are "enterprises established as capital companies that enable their customers to perform their banking transactions via the mobile app or internet browser-based interface by accessing the banking services offered by the service bank via its open banking services".
In this context, we can say that service banks can be any bank specified in the Banking Law No. 5411 and that interface developers are fin-tech companies or other businesses which allow their customers to perform their banking transactions via the mobile application or internet browser-based interface that they develop. However, we should also note that the Regulation prohibits banks from becoming interface providers.
Based on the above definitions,the BaaS model is defined as "a banking service model which allows their clients to make transactions via service banks, by connecting to the service banks' systems directly via open banking services, via the interface offered by the interface providers".
Locality Requirement for Interface Providers
According to the Regulation, services banks are permitted to offer BaaS only to those interface developers established in Turkey.
The Regulation clarifies that interface providers that are not established in Turkey cannot benefit from BaaS even if they operate in Turkey and that companies seeking to utilize this service are required to have a company established in Turkey in any case.
Prohibition of Using Expressions That Can Mislead the Customers
The Regulation prohibits interface providers from using:
· the names of payment service providers such as bank or payment institution and electronic money institution,
· or words and phrases that give the impression that they are operating like a bank or non-bank payment service provider, collecting deposit and participation funds like a bank, or collecting funds like a payment service provider in their trade names, all kinds of documents, announcements, advertisements, or public statements without obtaining necessary permissions.
Contractual Relationships Among Service Bank, Interface Provider, and Customer
With the Regulation, the BRSA also presents regulations regarding the relationship among the service bank, the interface provider, and the customer of the interface provider who will be using banking services.
In this context, signing a contract with both the interface provider and the service bank is now mandatory for the customer of the interface provider to benefit from BaaS.
Moreover, the Regulation stipulates that the service bank will determine whether to provide banking services to the customer via BaaS through the interface provider's interface, including the loan allocation decision and that the banking services offered to the customer will be performed on the balance sheet of the service bank.
The Security Level of the Interface of Interface Providers
Regarding the contracts to be established in an electronic environment between the customer of the interface provider and the bank, the Regulation obliges to conduct the process under the Regulation on Remote Identification Methods and Establishment of Contractual Relations in Electronic Environment to be Used by Banks and with the identification to be made by the service bank. Thus, we can say that interface providers' mobile app or browser-based interface must have a security level equivalent to the banks'.
Moreover, the Regulation also mandates the compliance of the relevant service channels of interface provider with the security criteria stipulated in the Regulation on the Information Systems of the Banks and Electronical Banking Services ("Information Systems Regulation") and that the information provided to the customer as the contract content must have the capability to ensure that only that information will be approved by the customer, provided that the process of establishing a contractual relationship between the service bank and the customer is initiated via the interface of the interface provider and completed via these service channels. Thus, the service bank is obliged to comply with this liability.
On the other hand, the interface provider and service bank are now severally responsible for ensuring the compliance of the mobile application or browser-based interface of the interface provider, via which the customer uses to access the services offered by the service bank, with the authentication and transaction security obligations stipulated in the Information Systems Regulation.
Interface Providers Are Now Subject to the Regulation on Procurement of Support Services by Banks
Besides receiving service from the service bank, the Regulation also regards interface providers as a support service organization under Support Services Regulation in terms of acting as an intermediary for the establishment of a contractual relationship between the service bank and the customer or allowing the customer to provide banking services by the service bank via the interface provided under this contract.
As we know, under the Support Services Regulation, banks cannot provide their "deposit or participation fund acceptance and marketing for deposit or participation fund acceptance" activities via support service organizations. Considering the nature of the process, the Regulation introduces an exception to this issue in terms of BaaS. The Regulation stipulates that the service provided by interface providers will not be subject to the prohibition of support services for marketing activities only if the deposit or participation fund is not deposited to the service bank via the interface provider, except where the interface provider does not accept deposits or participation funds for service bank and is a payment service provider (namely, a payment institution or an electronic money institution).
Moreover, the Regulation also provides service banks with the ability to receive support service
from the interface provider by collecting credit card requests via the service channels of the interface provider.
Also, its ability to provide support services to a service bank as an interface provider is subject to the Board's permission and required to be conducted by the service unit responsible for the on-site audit of the information systems of the institutions that are subject to the supervision and control of the BRSA under the Organization Regulation of the BRSA.
Systems Used by Interface Providers and Their Backups
In the Regulation, the systems and their backups used by the interface provider to perform its activities related to the support services offered to the service bank are also regarded as primary systems.
Hence, the Regulation includes sharing secret information by the service bank with the interface provider within the scope of the data exchange exception provided with the support services outlined in the Regulation on Sharing of Secret Information.
Minimum Criteria for the Service Agreement Between the Service Bank and the Interface Provider
The Regulation specifies the minimum provisions to be included in the service agreement between the service bank and the interface developer. We can say that these provisions outline the limits of the implementation of BaaS.
In this context, we can recap the rules the service bank and interface provider must comply with while implementing BaaS under the following subheadings. Besides being particularly significant for a frictionless user experience (UX), these rules are critical for a brand's positioning with the consumer.
· Highlighting That Interface Provider Is Not a Bank: The fact that the interface provider is not a bank with an operating license or a payment service provider — when it has not received the required operating permits yet — or another financial institution subject to an operating permit should be clearly emphasized in the contract to be established between the interface provider and the customer.
· Contract Samples Provided by the Interface Provider: A copy of the standard agreement between the interface provider and the customer and a copy of the standard agreement between the service bank and the customer should be included on the home page of the interface provider's website.
· Specifying the Service Banks of the Service User: The logo and name of the service bank(s) via which the service is provided are now required to be included and be visible on the home page of the interface provider's website.
· Brand Usage in Card Export Status: If the service bank exports a card payment instrument for the interface provider, the bank's name and logo must be visible on the stated payment instrument.
· Processing Limit regarding Secret Information: The services of secret information transferred to the interface provider upon the customer's request must be provided and processed within certain limits in the Regulation. Therefore, the Regulation prohibits interface providers from using such data for profiling or other marketing or CRM purposes.
· Holding Secret Information Domestic: The interface provider or the parties receiving service from the interface provider are required to store the systems and data backups considered secret information and processed by them while offering BaaS in the country.
· Cases Where the Interface Provider Receives Cloud Computing Service: When the interface provider receives cloud computing service within the scope of system and data backups where secret information is processed, the relevant services must only be received with a private cloud service model via the hardware and software resources allocated to the interface provider or outsourced with the community cloud service model where hardware and software allocated solely to organizations subject to the supervision and audit of the BRSA are physically shared, but logically, a resource specifically dedicated to each organization is assigned and approved by the BRSA.
· Supervision Authority of the Service Bank Before Interface Provider: Regarding the transactions of the service bank before the interface provider, the service bank must be provided with the ability to audit to ensure that the relevant transactions comply with the authentication and transaction security criteria stipulated in the Information Systems Regulation and assess the relevant data, documents, and records.
· Cases Where the Service Bank Terminate the Agreement Made with the Interface Provider: In cases where the Service Bank is determined unable to meet the obligations under the Information Systems Regulation regarding the information systems and service channels used by the Interface provider in processing secret information or the permission provided by the BRSA to the Service Bank to provide services to the interface provider as a support service institution is cancelled, the contract made between the service bank and the interface provider must be permitted to be ended immediately by the service bank before the end of the contract term.
· Inability to Transfer Services: The services provided by the interface provider to the service bank and the services obtained from the service bank must be untransferable.
Banks' Capability to Provide BaaS Without Being Subject to the Expansion of Operations
The Regulation provides banks with the ability to offer the services they can provide within their available operating permits to interface providers via BaaS without making a request regarding the expansion of their activities.
By demonstrating the list of all interface developers it provides services and its banking services, the service bank is also liable for providing information regarding the scope of its services on its website, submitting a copy of each service contract signed with the interface developers/providers and a copy of each contract amendment that change the scope of the services it will provide to the interface provider, to the BRSA within one week following the signature date in written form.
Cases Where an Interface Provider Works with Multiple Service Banks
According to the Regulation, an interface provider can work with multiple service banks. However, the capability of an interface provider to work with multiple service banks is subject to the Board's permission.
Including the obligations of interface providers to obtain an operating permit regarding Providing Account Information and Payment Order Initiation Service defined as payment services within the scope of Law No. 6493, the Regulation also stipulates that the relevant permission to be granted by the Board will not remove obligations arising from other relevant Regulation.
Despite this provision, we believe an interface provider's capability to leverage the Providing Account Information and Payment Order Initiation services to be offered by a single service bank is still unclear.
Fees and Benefits the Service Bank and the Interface Provider Can Receive from the Customer
Regarding all kinds of fees, expenses, commissions, and benefits that the service bank and interface provider can receive and obtain from the customer, the Regulation reserves the provisions of the Consumer Protection Law, the Article 144 of the Banking Law, titled "interest rates and other benefits", and the applicable sub-regulations.
Moreover, the BRSA reserves the right to cancel the permission granted to the interface provider in cases where the BRSA allows the interface provider to offer additional banking services to its customers via its interface and determines that all kinds of fees, expenses, commissions, and benefits, that the interface provider will receive from its customers in return for the service fee paid to the service bank, if any, are used for fraud against these provisions, or that the support services offered by the interface provider to the service bank do not comply with the provisions of the relevant Regulation.
We can say that the transitivity of the banking industry with others will increase with the BaaS introduced by the Regulation.
With this transitivity, banks will be able to grow their customer portfolio. Moreover, industries, such as e-commerce, retail, aviation, and telecom, that are possible interface providers with the ability to reach their users via the internet will be able to act with their banking muscles to boost customer loyalty without disturbing UX.
Thus, we can say that banking services will liberalize more with an increase in the touchpoints with their customers.
By: Gökhan Yüksel, Yaşar K. Canpolat