Meaning the beginning of a new era in the FinTech industry, the secondary regulations long-awaited by the industry have been published.
Aiming to comply with the European Union's Payment Services Directive 2 (PSD 2) regulation, these regulations bring critical changes to the business manners of licensed players in the FinTech industry, besides determining the license requirements of open banking.
However, we can also say that these regulations both critically influence the business manners of current licensed players and move the requirements to which new players of the industry will be subject to a higher level in detailing the license conditions.
Moreover, some players, who have utilized the exceptions and resumed their business models without a license so far, may be subject to a license as part of the newly-introduced rules.
What Are "Secondary Regulations"?
· The Central Bank of the Republic of Turkey ("CBRT") published two regulations ("Secondary Regulations").
1) Regulation on Payment Services and Electronic Money Issuance, Payment Service Providers ("Regulation")
2) Communiqué on IT Systems of Payment and Electronic Money Institutions and the Data Sharing Services of Payment Service Providers in Payment Services Area ("Communiqué on Information Systems")
· The regulation replaces the Regulation on Payment Services and Electronic Money Issuance, Payment Institutions and Electronic Money Institutions, the sub-regulation of the Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions numbered 6493 ("Law numbered 6493"), while Information Systems Communiqué replaces Communiqué on the Management and Audit of Information Systems of Payment Institutions and Electronic Money Institutions, the communiqué of the Law numbered 6493 which regulates information systems.
In this regard, Secondary Regulations include;
· the amendments regarding the information systems and existing business manners of existing Payment Institutions ("PI") and Electronic Money Institutions ("EMI"), (hereinafter collectively referred to as "Institution"), and
· the operation permits that companies that will offer open banking products, [(i- account information providing service ("AIPS") and ii- payment order initiation service ("POIS")], which have recently entered the legislation, must obtain and rules they need to comply during their activities.
We can summarize the highlights of the changes brought by the Secondary Regulations as follows. You can find the details of the relevant headings in the continuation of our article.
1. Operational Permit Applications Are Now Conducted in Three Stages.
2. Minimum Equity Amounts are Determined, while Professional Liability Insurance Obligations are Introduced to Certain Institutions.
3. The Minimum and Base Collateral Amounts that Institutions Must Keep Before the CBRT are determined.
4. The Way to Operate is Paved for FaaS or WaaS Business Models.
5. The Way for the Profitability of Payment Funds Protection Accounts is Opened.
6. Stable Coins Meeting the Conditions Are Included in Electronic Money.
7. The Details of Services within the Context of Open Banking are Determined.
8. While the Operating Limits of Institutions are Protected, Institutions That Exclusively Provide Open Banking Services are Permitted to Provide Value-Added Services.
9. The Limited Network Exemption is Restricted within the Scope of the Business Model, while an Obligation to Notify the CBRT is Introduced for Those Who Utilize the Exemption with an Annual Transaction Volume of 50 Million TRY or more.
10. A Workplace Registration System is being built before ICC for the Prevention of Fraud and Malicious Use Activities.
11. Rules on Prepaid Instruments and Minors Are Gotten Stricter.
12. While Authentication is Introduced with Remote Communication Tools, Simplified Authentication Opportunity is Limited.
13. Obligations Regarding Information Systems Largely Complies With The Information Systems Regulation Of Banks.
14. Partnerships of Organizations with Companies Abroad are Subject to Strict Rules.
15. Their Field of Activity limits companies In Which Institutions can be Shareholders.
16. Industrial Practices Regarding External Service, Board of Directors, and Corporate Governance are Reflected in Obligations.
17. New Obligations Are Introduced Regarding Risk Management, while the CBRT is Entitled to Request the Suspension of the Authority of Independent Audit Firms.
18. Issues Regarding the Protection of Funds are Clarified.
19. Detailed Regulations Regarding Agreements and Payment Transactions Are Introduced.
20. Compliance with Secondary Regulations and Transition Periods are Specified.
1. Operational Permit Applications Are Now Conducted in Three Stages
· The application for an operational permit ("License") is divided into three stages as "Pre-Application Stage" to be made to the CBRT before the trade name is registered in the trade registry, "Intelligent Permit" to be conducted within six months following the completion of the first stage, and "Final Approval" that will be performed subsequently.
· During the intelligence permit stage, companies will inform the CBRT regarding their fields of activity, financial structures, and eligible shareholders. The final approval stage will be initiated if the intelligence permit stage is completed successfully. During the final approval stage, companies must present their capital, technical, personnel, workflows, insurance, collateral statuses, and independent (technical and financial) audit reports. Thus, companies that will receive new operational permits to offer open banking services can now present their technical qualifications, namely their integration with the Interbank Card Center ("ICC"), during the third stage (conditional operational permit is granted in case of delays originating from ICC).
· The license application fee is determined as 500,000 TRY, while the license fee - to be paid for once - is 1,000,000 TRY.
· A strict schedule must be followed for the intelligence permit and final approval stages.
Before the regulation, PIs and EMIs had to fulfil their requirements, such as HR, before obtaining an operational permit. This situation was subject to criticism as it created expenses due to reasons such as salary payments made by the companies when they were not active while applying for licenses. Following the introduction of these three stages, this situation is eliminated. However, the Regulation has set a strict schedule for companies who will apply. Thus, the application process must be well planned to comply with the relevant schedule.
2. Minimum Equity Amounts are Determined, while Professional Liability Insurance Obligations are Introduced to Certain Institutions
· Minimum equity amounts are determined as 3 Million TRY for payment institutions that mediate bill payment, 5 Million TRY for payment institutions, and 13 Million TRY for electronic money institutions. The CBRT will reevaluate these amounts every year in January by considering the annual changes in the price indexes published by the Turkish Statistical Institute.
· It is ensured that the equity mentioned above amounts are minimum, while in case the minimum equity amounts to be determined by the formula to be calculated gradually based on the payment volumes of the Institutions are high, the determined amount will be valid.
· Organizations providing AIPS services exclusively are exempted from the minimum equity liability. However, organizations that offer POIS are obligated to provide a minimum amount of equity no matter whether they offer this service exclusively or not (there is no specific capital limit for AIPSs under Law No. 6493).
· Organizations that exclusively offer AIPS are now obliged to have professional liability insurance of at least 1 million TRY and keep collateral. The rule of increasing the relevant insurance and coverage by 500.000 TRY for every 100.000 new customers is introduced.
· Unlike the industry's expectation, the regulation did not introduce any exception/limit regarding the institutions' capital adequacy offering AIPSs exclusively. Thus, these Institutions are now required to have a paid-in capital of 2 Million TRY just like a regular payment institution.
3. The Minimum and Base Collateral Amounts that Institutions Must Keep Before the CBRT are determined
· The regulation stipulates the amount of collateral that institutions should keep before the CBRT separately as "minimum" and "base" collateral.
· The minimum collateral amount is determined as 2 Million TRY for intermediaries for invoice payment institutions, 3 Million TRY for other payment institutions, and 5 Million TRY for electronic money institutions.
· The base guarantee amount of the institutions is determined by a formula to be calculated gradually by considering the number of customers.
· Moreover, the Institution must have extra collateral of 500 thousand TRY for every 1000 representatives it will use while performing its activities.
· The regulation did not introduce any minimum guarantee obligation for payment institutions providing AIPS services exclusively.
4. The Way to Operate is Paved for FaaS or WaaS Business Models
· The regulation details the procedural requirements regarding representations and requires submitting the necessary information and documents regarding the representatives to the Association of Payment and Electronic Money Institutions of Turkey ("Association"). Meanwhile, Institutions are now liable for showing due diligence while selecting representatives.
· Electronic Representation Opportunity is also introduced.
· The regulation prohibits the Institution to authorize third parties in any way to provide payment services besides using a representative as well as signing a contract with third parties under a name exempting a representative contract.
· While the provisions for Institutions to establish branches are preserved, Institutions are now required to submit their branch lists.
With Law numbered 6493, the compatibility of business models such as Fintech As A Service ("FaaS") or Wallet as a Service ("WaaS"), which have been increasing worldwide recently, was a question mark. However, the regulation has now paved the way for these business models to be conducted under the Law with the electronic representation opportunity introduced.
This is considered to contribute to the industry's growth and be a positive development for companies such as Plaid and TrueLayer. They are Fintech players in open banking and eCommerce players and do not want to be subject to a license.
5. The Way for the Profitability of Payment Funds Protection Accounts is Opened
The regulation allows Institutions to invest their payment funds overnight at the bank in which the protection account is held. However, the same permission is not granted for electronic money protection accounts.
6. Stable Coins Meeting the Conditions Are Included in Electronic Money
· Intangible assets that are only issued in exchange for one-to-one fiat currencies created virtually and distributed via digital networks are considered as electronic money if they are issued against funds accepted by the issuing Institution, stored electronically, used to perform the payment transactions defined in Law and accepted as a payment instrument by real and legal persons other than the issuing Institution.
· It is also regulated that the CBRT will provide an independent regulation concerning the intangible assets to be included in the above scope.
It is now considered that the financial instrument complying with the definition created within the regulation is close to stable coins due to its nature. In this regard, stable coins likely to be included within the Regulation will now be considered electronic money. Thus, companies issuing such coins will be subject to licenses.
7. The Details of Services within the Context of Open Banking are Determined
· The regulation defined ICC as an aggregator for open banking services. Thus, payment service providers ("PSP") will perform their data exchange within open banking via ICC from now on.
· The CBRT authorizes ICC to inspect whether the technical and operational requirements to be published concerning open banking services (AIS and PIS) are complied with or not, requiring ICC approval to obtain an operational permit.
· The regulation now requires for all PSPs holding a payment account (definition below) concerning AIS and PIS to open their payment accounts to all other authorized PSPs that submit a request by connecting to ICC within six months at the latest after receiving the necessary permissions.
· The fees, expenses, commissions, and other benefits that the PSPs with a payment account will receive from the authorized PSPs regarding the AIS and PIS services must be at a reasonable level, directly and only in line with the costs that can be associated with this work. The regulation authorizes the CBRT to determine the maximum/minimum amount in the issue mentioned above or decide whether these services (among PSPs) should be provided free of charge.
· The CBRT is also provided with the authority to regulate which data can be shared within open banking by receiving the Competition Authority's opinion on competition-sensitive data.
· If a request is submitted to PSPs by another PSP to use the account services offered by them, the requesting PSP is obliged to provide account-related services under similar conditions with its other customers. In this context, any PSP that rejects the relevant application is obliged to provide the reasons for this rejection to the requesting PSP.
· Accounts other than drawing accounts, transaction accounts, credit card accounts, electronic money accounts as well as accounts opened in the name of the customer, where funds can be transferred to other persons without being associated with another account while temporary movements are monitored, are defined as payment accounts under open banking. The regulation also provided CBRT with the final decision-making authority to determine which accounts used for the services provided by PSP will be considered as payment accounts under Law Numbered 6493 and Draft Regulation.
· During the provision of AIPS and POIS services, the operational and data flow rules of access to the payment account are set.
· Obligations of stakeholders about complicated or incorrect payments are determined.
8. While the Operating Limits of Institutions are Protected, Institutions That Exclusively Provide Open Banking Services are Permitted to Provide Value-Added Services
· The existing operational limits of PIs and EMIs, excluding the payment system, are maintained. Besides, Institutions are now authorized to trade foreign currency under certain circumstances.
· Regarding the administrative and operational processes of legal entities, merchants, and Institutions providing Open Banking services, they are now allowed to provide "value-added services" and "information services related to other accounts held by PSP and not considered as payment accounts".However, value-added services are defined as "services not within payment services under the Law No. 6493 but facilitate, secure, or increase the efficiency of the administrative and operational processes of legal entities and merchants such as trade debt and receivable management, accounting, invoicing, product, stock, and supply management".
· The restriction on lending by institutions is preserved. As in the past, mobile payments are maintained as an exception to this situation by introducing some restrictive regulations.
Payment services are not the only activities of companies providing ERP services and offering open banking services exclusively. These companies also offer services such as software and value-added services. Many wondered how these companies would act within the limits of activity specific to Institutions when they received an operational permit from the CBRT to continue offering open banking services.
Providing flexibility in this sense, the Regulation now allows Institutions offering open banking services to provide value-added and information services related to other accounts held with payment service providers while not considered payment accounts.
We can discuss the practical outcome of this situation as follows: Companies covered by the expressed scope can continue to offer services besides payment services provided that they are still included in "value-added services". Nonetheless, while offering open banking services, they will still have to obtain an operational license as a payment institution and comply with all obligations that payment institutions are subject to. Thus, these companies may now alternatively offer open banking services via electronic representation.
9. The Limited Network Exemption is Restricted within the Scope of the Business Model, while an Obligation to Notify the CBRT is Introduced for Those Who Utilize the Exemption with an Annual Transaction Volume of Above 50 Million TRY
· Companies that provide services by utilizing the limited network and/or commercial agent exemption are obliged to notify the CBRT every year in January if the amount of transactions they conducted within this scope in the last 12 months exceeds 50 million TRY. Moreover, the regulation authorizes the CBRT to incorporate these services within the scope of payment or electronic money services. Thus, these institutions may be required to obtain a license.
· Considering prepaid instruments that can only be used in a distinct service network, the relevant payment instrument has to be usable in transactions to be made only via a particular store or chain of stores so that companies can utilize the limited network exemption ("limited network exemption"). Moreover, the regulation also introduces the same obligation to payments.
· However, the prepaid instruments, which are designed to be valid in all workplaces included in the areas where the prepaid card can be used within the scope of the contract conducted with the Institution that issued the prepaid card, are considered instruments without the ability to utilize the limited network exception.
· The Institution issuing the payment instrument now must be authorized to issue electronic money if the payment instrument is used as a payment method in workplaces. The amount related to the payment transaction is transferred via the Institution issuing the payment instrument in such transactions.
Considering these regulations, companies providing prepaid instruments and offering marketplace or loyalty card business models that dynamically include new brands into their scope may be required to reevaluate their business models under this provision.
10. A Workplace Registration System is being built before ICC for the Prevention of Fraud and Malicious Use Activities
· A Workplace Registration System is being established before Interbank Card Center Inc. ("ICC") to prevent fraud and malicious use in the field of payments.
· The regulations also provide Institutions with new obligations to notify this system for their contracted workplaces and check this system before making any contract with any workplace. An obligation is also introduced for Institutions not to provide services to workplaces if they have a ban on offering a service within the scope of the Workplace Registration System. Moreover, they are now obliged to conduct the necessary evaluations within risk management by considering the content of the records if they do not have such obligations.
11. Rules on Prepaid Instruments and Minors Are Gotten Stricter
· The usage area of anonymous prepaid instruments is now limited to the payment transactions, where the prepaid instrument bearer is physically at the workplace with the physical usage of the anonymous prepaid instrument, as well as invoicing transactions and goods or services procurements to be conducted before service providers and intermediary service providers with Trust Stamp.
· The regulations also require electronic communication operators to provide mobile payment services to their prepaid or postpaid subscribers in a closed way at the first stage.
· Electronic communication operators can only provide mobile payment services to their minor prepaid or postpaid users ("subscribers") by receiving approval from the legal representative of the relevant minor for these transactions to be performed. However, if the subscribers did not declare that the user of the line is a different person than themselves and that the user is not a minor during the contract formation or later, it is accepted that the user of the line is a subscriber and an adult, meaning that a kind of Opt-Out system is adopted.
· Excluding anonymous prepaid instruments, initial issuance of prepaid instruments to minors, obtaining the approval of the minor's legal representative during the establishment of electronic money accounts, the registration of the approval obtained, and establishing the necessary procedures for these are now considered obligations. Moreover, developing applications that will enable the legal representative to follow the said transactions and offering them upon request by such persons are now introduced as obligations.
12. While Authentication is Introduced with Remote Communication Tools, Simplified Authentication Opportunity is Limited
· Institutions are now provided with the ability to close deals with users via remote communication tools ("Digital Customer Acquisition").
· The possibility of obtaining information and documents required to be obtained from the customer regarding the framework contract to be conducted using the remote communication tool via a central structure approved by the CBRT is also indicated. In this regard, there is a possibility of building an institution that provides central digital identity soon.
· The regulation also requires the organization of the periodic and continuous payment relations performed with the framework contract via remote communication or in-person.
This year, banks were also allowed to acquire digital customers within the limits of the regulation published by the Banking Regulation and Supervision Agency and, subsequently, by the Financial Crimes Investigation Board (MASAK). The opportunity for FinTechs to utilize this opportunity has also been expected for some time. We can say that the regulation paved the way for this opportunity. However, we can also say that the movement area of FinTechs, which have advantages compared to banks, for simplified measures is now limited due to the new rules in the Regulation.
13. Obligations Regarding Information Systems Largely Complies With The Information Systems Regulation Of Banks
· The changes provided under the Communiqué mostly align the IT obligations of institutions with the "Regulation on IT and Electronic Banking Services of Banks".
· It is considered that the obligations imposed on the Institutions on the IT side have an extensive and detailed scope. Thus, the Institutions need to reevaluate their IT practices end-to-end.
· We can list the topics within the Communiqué as follows: Creating customer security information, rules on the internal governance of IT, designing software and hardware inventories, producing secure standard configuration data on all devices within the organization, performing network segmentation, creating new authentication rules, and the details of penetration tests.
14. Partnerships of Institutions with Companies Abroad are Subject to Strict Rules
· The regulation requires institutions to receive permission from the CBRT to partner with legal entities abroad.
· The scope of the relevant partnership limits the institution's payments services under the Law to be presented to its domestic customers together with the legal entity residing abroad, besides the payment services where at least one of the sender or recipient is located abroad.
· If the Institution stores the log records regarding the services within the partnership, the IT of the legal entity residing abroad will not be required to be located in Turkey.
· The CBRT is authorized to impose extra equity obligations on institutions conducting partnerships abroad.
15. Companies In Which Institutions can be Shareholders are Limited by their Field of Activity
· The companies in which institutions may have a share are determined as companies that i) issue electronic money, ii) provide payment services, iii) provide payment services under the exemption, iv) provide services within the operational limit for organizations, and v) offer value-added services. Institutions are now prohibited from having shares in companies outside this scope.
· If the Institutions hold shares in other companies, they are now required to notify the CBRT. Moreover, if the CBRT decides that this situation may adversely affect the activities of the Institution, the CBRT is now authorized to ask the institution to take measures to prevent this situation. If these measures are not then taken, the CBRT is entitled to request the institution to suspend the transaction or its reversion to the former situation provided that the transaction is completed.
16. Industrial Practices Regarding External Service, Board of Directors, and Corporate Governance are Reflected in Obligations
· Obligations related to External Service, Board of Directors, and Corporate Governance are mainly maintained. However, some industrial practices are clarified and included in the scope of obligations, while minor extra obligations are introduced.
· Internal audit personnel, risk management personnel, and the member of the board of directors to whom they will report must not be the spouse of the general manager and one of the other board members. Moreover, they must not be related by blood or affinity by marriage, including the third degree, with the general manager and other board members.
· The control of the activities performed by a representative or outsourcing being dependent on internal audit is now clarified.
· Considering the outsourcing of the Institution, the Institution is now clearly obliged to show due diligence while selecting the outsourcing provider, clarify the obligations of the outsourcing provider with a contract, and manage these risks effectively by considering the additional risks that may arise from outsourcing.
17. New Obligations Are Introduced Regarding Risk Management, while the CBRT is Entitled to Request the Suspension of the Authority of Independent Audit Firms
· The risk management system must be established in such a way as to ensure its effective management while identifying all risks that may jeopardize the smooth running of operations, and that may arise from all activities performed by the organization, relations with other institutions related to the activities performed, payment systems attended, external service providers, representatives, and other matters related to the activities performed.
· Within the context of risk management activities, an obligation is introduced to conduct necessary investigations, primarily via social media and online platforms, to determine whether the services provided by the Institutions under Law Numbered 6493 are used in illegal activities, especially in illegal betting, while taking necessary measures to prevent such transactions.
· The CBRT now has the authority to determine for the Institutions not to receive independent audit services from a specific independent audit firm if it deems necessary. Institutions are now required to develop a business continuity plan.
18. Issues Regarding the Protection of Funds are Clarified
· It is now required for the amounts of payment funds that must be deposited into protection accounts to be calculated as of 3 p.m. on full working days, while 11 a.m. on half working days.
· Regarding the process of issuing funds and electronic money accepted for issuing electronic money, the service fees received under commissions, fees, and similar definitions are required to be separated and collected, while the service fees received are required not to be reflected in the electronic money protection account.
19. Detailed Regulations Regarding Agreements and Payment Transactions Are Introduced
· The issues that need to be included in the One-Time Payment and Framework Agreements to be signed with the consumers are detailed. Moreover, the conditions for establishing these agreements via remote communication tools are regulated.
· The notifications that the POIS Provider must provide to the customers before initiating the payment order and what these notifications should include are also stipulated.
· Institutions are obliged to inform consumers of their rights evidently.
· Regarding a particular type of transaction within the scope of payment service and electronic money issuance, the CBRT is now authorized to determine the characteristics and maximum amount or rates of fees, expenses, commissions, and other benefits received by any of the parties under any name and release them partially or completely.
· The Institution with the payment account is authorized to block the access of the account information service provider or the payment order initiation service provider to the payment account by providing objective and provable reasons such as fraudulent or unauthorized access to the payment account or attempting to initiate a fraudulent or unauthorized payment transaction by these Institutions.
· The responsibilities of notification, correction, and proof of the transactions not authorized or performed inaccurately during the POIS are also regulated.
· How the fund flow will be for card-based payment transactions (Request Money apps) without a transaction amount that is known beforehand is also regulated.
20. Compliance with Secondary Regulations and Transition Periods are Specified
The deadline for the Regulation compliance period of the Institutions with an existing operational permit is specified as December 1st, 2022.
· While complying with the Regulation, December 1st, 2022 is determined as the date for those with an application for an operational permit before the regulation enters into force (Compliance with the provisions of the regulation on equity and collateral liability, the protection of payment funds, and the protection of funds collected in return for electronic money is always required. Otherwise, the operational permit will not be granted).
· The deadline for Institutions providing Open Banking services to be compliant in their activities with the operational limit specified in the Regulation is determined as one year following obtaining an operational permit.
· The deadline for Institutions partnering with an Institution abroad regarding the business models to apply for permission from the CBRT is determined as of June 1st, 2022.
· The deadline for obtaining operational permits for Institutions without utilising the limited network exemption is specified as December 1st, 2022.
· The deadline for Institutions issuing crypto-assets specified within the scope of the regulation to obtain an operational license is set as December 1st, 2022.
· Besides the above, various deadlines are specified for the compliance of contracts in many fields (e.g. agency agreements), business models (e.g. mobile payment), or situations (e.g. holding shares in other companies) with the Regulation.
For your questions, you can contact us via the e-mail address below: firstname.lastname@example.org
Writers: Gökhan Yüksel, Yaşar K. Canpolat