The Financial Technology Law Review: Turkey

Overview

The general policy and regulatory approach in the fintech ecosystem is to ensure the establishment of a regulatory infrastructure to implement financial and information security. Recently, there have been new developments in that stricter rules have been set within the fintech ecosystem. The essential legal and regulatory matters concerning fintech are those regarding payment services, e-money institutions and alternative funding methods. This is mainly the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493), which regulates the activities and licensing of payment systems, electronic money institutions and payment institutions in Turkey. The Amendment to Law No. 6493, drafted in accordance with the requirements of the second Payment System Services Directive (Directive (EU) 2015/2366 (PSD II)), stipulates the establishment of the Turkey Payment Services and Electronic Money Association, which has since been established. Payment institutions and electronic money institutions are obliged to become members, and new institutions must apply to become members within one month of obtaining their operation permit.

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers were published in the Official Gazette dated 1 December 2021. However, a transition period of one year has been defined as of the effective date for compliance with all new provisions introduced by the Regulation. The Regulation abolishes the previous Regulation, namely the Regulation on Payment Services and Issuing Electronic Money and Payment Institutions and E-money Institutions, and aims to regulate the operations and services of payment and electronic money institutions in a stricter manner.

As regards cryptoassets, the Regulation Prohibiting Payments Through Crypto Assets (the Crypto Assets Regulation), issued by the Central Bank of the Republic of Turkey (CBRT), entered into force on 30 April 2021. The Regulation prohibits licensed payment institutions and electronic money institutions from using cryptoassets in their operations; however, it does not introduce any regulations with respect to cryptoasset trading platforms. Additionally, within the framework of the Regulation Amending the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism, published in the Official Gazette dated 24 February 2021 (the MASAK Regulation), cryptoasset service providers have been included within the definition of 'obliged parties' and will be subject to inspection by the Turkish Financial Crimes Investigation Board (MASAK). Following entry into force of the Regulation, MASAK also published a guide titled the Main Principles for Crypto Asset Service Providers Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism. It is also important to note that, with its Decisions Nos. 1229 and 1230, dated 25 November 2021, the First Chamber of the Judges and Prosecutors Council established specialised courts for cybercrimes and financial crimes. All of the above may be considered as steps towards the government's recognition of cryptoassets.

Additionally, the Turkish Fintech Ecosystem Status Report 2021, prepared under the coordination of the Presidential Finance Office, was published in December 2021. According to the report, there were 520 fintech companies and a total of 56 accredited payment and e-money fintech companies within Turkey as at 30 December 2021.

Regulation

i Licensing and marketing

Turkey regulates a comprehensive scope of financial services and activities. Financial institutions are obliged to obtain authorisation from relevant regulators (i.e., the CBRT, the Capital Markets Board (CMB) and the Treasury) to be incorporated and to conduct financial activities. As per Law No. 6493, licensing requirements apply in all cases that involve the provision of payment and e-money services. The market is highly regulated and there are significant financial barriers of entry into the market. In this context, payment services and e-money services can only be offered if the provider is granted a licence by the CBRT. A licensed entity can be incorporated to offer payment services only if it is incorporated as a financial institution that falls under the definition of a bank as listed within Turkey's banking legislation (namely the Banking Law (Law No. 5411)), an e-money institution or a payment services provider.

Pursuant to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, requirements for applications for operation permits have been tightened by way of a two-stage evaluation: an informative investigation stage and a final stage. The corporate name of the company applying for an operation permit is required to contain phrases showing that it is a payment institution or an e-money institution, and the application fee for the authorisation permit has been regulated as 500,000 Turkish lira. In addition to this, the amount of the paid-in capital of the company, free from collusion, has been increased to 5.5 million lira for payment institutions providing intermediary services for invoice payments exclusively, 9 million lira for other payment institutions, and 25 million lira for electronic money institutions. Also, according to the Regulation, institutions are now required to pay a licence fee of 1 million lira upon receipt of the operation permit.

The sale and marketing of financial services and products may fall under the supervision of the CBRT, the Banking Regulation and Supervision Agency (BRSA) and the CMB. The CMB's Communiqué on Principles on Investment Services and Activities and Ancillary Services (No. III-37.1) and the BRSA's Regulation on Banks' Procurement of Support Services impose certain restrictions on financial service providers as well as vendors providing the sale and marketing of financial services in Turkey. Additionally, pursuant to the BRSA Regulation, payment institutions and e-money institutions are prohibited from granting loans and, thus, are prohibited from engaging in advertising and marketing activities creating the impression of granting a loan.

Automated digital advisory is not specifically regulated under Turkish legislation; however, if the advisory services to be carried out are in relation to a regulated financial activity, regardless of its form, either digital or in person, these advisory activities may be subject to an authorisation or an exemption, depending on the type and content.

With the Regulation on Establishment and Activities of Asset Management Companies and Receivables to be Acquired (the Asset Management Regulation), published in the Official Gazette dated 14 July 2021, the structure and activities of asset management companies have been amended. The Asset Management Regulation sets forth that asset management companies must obtain authorisation from the BRSA prior to their establishment to carry out their activities, and the condition of having paid-in capital, free of all kinds of collusion and in cash, of no less than 20 million lira has been increased to being no less than 50 million lira.

Providing credit references or credit information services in Turkey is a regulated activity under Law No. 5411. Payment institutions and e-money institutions are prohibited from conducting lending activities. A Risk Centre has been established within the Banks Association of Turkey for the purpose of collecting the risk data and information of clients of credit institutions and other financial institutions deemed eligible by the BRSA and ensuring that this information is shared with the institutions or with the relevant persons or entities themselves or with real persons and private legal entities, if approved.

ii Cross-border issues

Under Turkish law, a licence to provide financial services in Turkey cannot be obtained unless the company is governed by Turkish law; however, with the adoption of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, it has been determined that fintech companies may cooperate with institutions abroad when providing financial services.

A fintech company is required to be incorporated and licensed in the local Turkish jurisdiction by the CBRT. The requirement also applies to companies that provide cross-border services and products, and whether the products are actively marketed or the client in the jurisdiction solicits the service or product, is not relevant.

The Regulation sets forth the principle for the cooperation of payment and e-money institutions with legal entities residing abroad. The Regulation allows cooperation with legal entities residing abroad that have obtained permission from the CBRT, in line with their objectives or operations. However, the foreign legal entity in question must also be authorised to provide payment services or issue electronic money by the relevant authorities of the country in which its headquarters are located. The legal entity residing abroad, with which the cooperation is made, may not be exposed as the face of the service alone to the customer. Additionally, institutions will continue to be accountable to domestic customers for the services provided within the scope of the cooperation.

Also, pursuant to the MASAK Regulation, branches, agencies, representatives, commercial proxies and similar affiliated units in Turkey will be deemed liable for crypto money service providers headquartered abroad.

Pursuant to the Turkish Direct Foreign Investment Law (Law No. 4875) and Law No. 5411, there are no restrictions or limitations on ownership of companies by foreigners. On the contrary, direct foreign investments are promoted through Law No. 4875.

Digital identity and onboarding

There is no general regulation regarding digital identity in the Turkish legislation. However, there are separate pieces of legislation concerning the elements of electronic capture and storage attributes or credentials that may uniquely identify a person and create a digital identity. The Electronic Signature Law (Law No. 5070) lays out the principles on digital identification. Following Law No. 5070, the Communiqué on Electronic Signature and Relevant Procedures and Technical Criteria has also set a technical basis regarding the electronic signature that may be used in the creation of a digital identity.

Relevantly, the term 'open banking' has been defined for the first time in the Regulation on Banks' Information Systems and Electronic Banking Services, published in the Official Gazette dated 15 March 2020, which entered into force on 1 January 2021. Pursuant to the Regulation, remote identification and digital onboarding have been regulated for the first time. In this context, open banking services may now be used for digital identity. Additionally, the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment, drafted by the BRSA to determine remote identification methods, was published in the Official Gazette dated 1 April 2021.

The CMB has been authorised to provide the applications to be used in the execution of the remote identification process through a central structure.

Pursuant to Article 6/A, added to the Regulation on the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism by the MASAK Regulation, if the legislation pertaining to the obliged party's main field of activity allows for the establishment of a contract with methods that will allow the verification of his or her identity without face-to-face contact with the customer, remote identification methods may be used to verify the identity of the customer in the establishment of a permanent business relationship with real persons. The Ministry of Treasury and Finance is authorised to determine the methods and measures that can be used. In accordance with the Financial Crimes Investigation Board General Communiqué (No. 19), published in the Official Gazette dated 30 April 2021 and numbered 31470, remote identification tools such as informatics or electronic communication devices can be used within the methods determined for obliged parties. The important point here is that the method to be applied should be designed in such a way as to include all the information required for face-to-face identification and to contain the minimum risk in the confirmation of the information. For remote identification, there is no restriction on whether the customer is a Turkish citizen and there is no limitation on transactions it can be used in.

Digital markets, payment services and funding

Law No. 6493 and its supplemental secondary legislation regulate the market and concepts such as e-money, digital wallets and digital currencies. The Crypto Assets Regulation has defined cryptoassets for the first time as intangible assets that are created virtually by technology such as distributed ledger technology or similar and are distributed through digital networks but cannot be acknowledged as 'fiat money, deposit money, electronic money, payment instruments, securities or other capital market instruments' and stipulates that a special set of rules shall be applied to cryptoassets.

The general rules and principles regarding investment funds are mainly regulated under the Law on Capital Markets (Law No. 6362). The CMB has regulated further details regarding the establishment and activities of investment funds under the Communiqué on the Principles of Investment Funds (No. III.52.1) and has also introduced the Investment Funds Guide with its Resolution No. 19/614, to clarify the rules and principles stipulated in the Communiqué. The Communiqué Amending the Communiqué (No. III-52.1.c) (the Amending Communiqué) entered into force upon its publication in the Official Gazette dated 12 March 2019, and the Guide was also amended on the same date to reflect the changes introduced through the Amending Communiqué.

Communiqué No. III-35/A.2 on Crowdfunding entered into force upon its publication in the Official Gazette dated 27 October 2021 and designates the CMB as the supervisory regulatory authority. The Communiqué repealed the Communiqué on Share-Based Crowdfunding (No. III-35/A.1), and debt and share-based crowdfunding was regulated in a single communiqué. As per the Communiqué, crowdfunding activities shall be conducted via crowdfunding platforms, which can be joint stock companies solely providing crowdfunding services; or investment institutions that are development and investment banks, participation banks or intermediary institutions.

Law No. 7222 on the Amendment of the Banking Law and Some Other Laws, which was published in the Official Gazette dated 25 February 2020 and numbered 31050 and came into force on the same date, introduced the concept of crowd-lending. With regard to crowdfunding, with the amendment made in the first paragraph of Article 35/A of Law No. 6362, the CMB is empowered to make a determination regarding crowdfunding activities by collecting money from the public based on partnership or lending.

As per Law No. 7222, the provisions of the banking legislation shall not be applied for financing provided through lending-based crowdfunding and shall not be considered as deposit or participation fund acceptance. This situation may bring an alternative to conventional and participation banking models, especially in financing innovative projects with industrial and technology companies.

Additionally, peer-to-peer lending is not currently regulated in a manner synonymous with the definition found under PSD II. However, debt-based crowdfunding platforms, which can be considered peer-to-peer lending, have just been regulated, although a communiqué for these platforms has not yet been prepared by the CMB.

There are significant duties levied upon payment service providers and these institutions are obliged to be licensed by the CBRT. Additionally, payment service providers have a duty of confidentiality within the Turkish legislation, namely the Banking Law, the Turkish Commercial Code, the Turkish Criminal Code and the Personal Data Protection Law. This duty limits the sharing of data in a manner that would be considered as promoting competition. However, Law No. 7192, introducing a variety of amendments to Law No. 6493, stipulates that the CBRT is vested with the power to enact secondary legislation that may require payment service providers to share data with other payment service providers. In this regard, pursuant to the Regulation on Banks' Information Systems and Electronic Banking Services, the private financial data of customers in banks can be shared with third parties, namely third-party providers, with customer permission. With this model, financial data belonging to customers, and that the banks do not share among themselves, are no longer private to banks and are placed on a common platform with the request and consent of the customer, making the data available to fintech companies.

In line with this approach, in the Turkish Competition Authority's Report on Financial Technologies in Payment Services, the open banking model is explained in response to the need for regulatory rules that prevent exclusionary actions from the very beginning. With the report, a step has been taken to support third-party sharing. In addition, the Regulation on the Sharing of Confidential Information, which regulates the sharing and transfer of bank secrets and customer secrets, regulates confidentiality obligation exceptions and the principles regarding the sharing of confidential information.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

There is no specific regulation governing cryptocurrencies; however, there are no specific provisions under the Turkish legislation that prohibit individuals from owning and exchanging cryptocurrencies. Nevertheless, the Crypto Assets Regulation prohibits:

  1. the direct or indirect use of cryptoassets in making payments;
  2. the provision of services enabling the direct or indirect use of cryptoassets in making payments;
  3. the development of business models, or the provision of services related to those business models, by payment service providers regarding the direct or indirect use of cryptoassets in the provision of payment services or the export of electronic money; and
  4. payment and electronic money institutions from acting as intermediaries between platforms providing services on the trading, depositing, transferring or exporting of cryptoassets.

In light of the foregoing, although the Regulation prohibits licensed payment institutions and e-money institutions from using cryptoassets in their operations, it does not introduce any regulations with respect to cryptoasset trading platforms. Taking into consideration that cryptoassets reflect only one aspect of blockchain technology applications, we believe that this Regulation will not prevent significant technological developments that are constituted on blockchain technology, such as digital identity, open data or smart contracts in Turkey.

There is no specific regulation governing ICO or token generation events. The CMB has not yet classified or assessed security tokens.

Because cryptoasset service providers have been included within the definition of obliged parties under the MASAK Regulation, the appointment of a compliance officer and identity verification of account holders, together with the reporting of suspicious transactions, are commonplace requirements imposed upon fintech companies. Turkish anti-money laundering legislation, namely the Law for Preventing Laundered Criminal Income (Law No. 5549) and its supplemental regulation, requires that fintech companies (dealing with cryptocurrency and tokens) implement procedures to combat bribery. MASAK also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.

As regarding tax issues, to be able to impose tax on cryptocurrencies and tokens, the Tax Law has to be amended in a comprehensive manner. If cryptocurrencies were to be qualified as a commodity in Turkey, the income derived from the exchange of cryptocurrencies would be subject to income tax. However, for the time being, gains derived from cryptocurrencies are not included within the types of income that are subject to income tax.

There is no regulation allowing or restricting the offering of tokens to residents from abroad.

Other new business models

Pursuant to the Turkish Law of Obligations (Law No. 6098), for a contract to be legally binding, there must be an offer and an acceptance, and the parties should have the intention of making the contract legally binding. Because of the nature of self-executing contracts, without separate legislation to regulate these, their enforceability may be challenged on the grounds that they restrict parties' negotiation power over the terms and conditions of an agreement. In addition, self-executing contracts are not legally enforceable as formal contracts specified by certain laws (e.g., real estate contracts, vehicle sales agreements).

There is no regulation regarding artificial intelligence (AI) under Turkish legislation; however, the Digital Transformation Office, structured under the Presidency, has been granted with the task of leading the AI transformation process. In this context, the National Artificial Intelligence Strategy 2021–2025, drafted in cooperation with the Digital Transformation Office of the Presidency of the Republic of Turkey and the Ministry of Industry and Technology, was announced on 24 August 2021, and the Presidential Circular on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021.

Product price comparison websites are not specifically regulated under Turkish legislation; however, general law principles shall apply. Regarding new business models, with the Regulation on the Operating Principles of Digital Banks and Service Model Banking, which was published in the Official Gazette dated 29 December 2021 and which entered into force on 1 January 2022, the procedures and principles regarding the activities of branchless banks, which only serve through electronic banking services distribution channels, and the provision of banking services to financial technology companies and other businesses as a service model have been determined. In terms of digital banks, operation limitations, mandatory service continuity level and licensing requirements are stipulated under the Regulation. Additionally, the principles of service model banking are regulated under the Regulation; entities are able to provide service model banking services to domestically localised interface providers only and solely within the framework of their own operation permits.

Additionally, regarding crowdfunding, the amendments made with Communiqué No. III-35/A.2 on Crowdfunding have made it possible for crowdfunding platforms to form more than one investment committee. Platforms were given the opportunity to fund campaigns up to a maximum of 50 per cent of their own resources in total, up to a maximum of 20 per cent of the targeted fund amount for each campaign. Special regulations have been introduced for debt-based crowdfunding. In addition to the general obligations of the platforms that carry out debt-based crowdfunding activities, it is now obligatory to establish an effective and transparent credit rating system and policy to assess each project's risk status.

Intellectual property and data protection

The Turkish jurisdiction does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilised for protecting ownership rights over software. Copyright protection is a natural protection that is offered to the creator from the moment the property is offered or made available to the public. There is no application similar to that of a patent application that is required of a copyright holder.

There are two distinct regulations regarding duty of confidentiality: Law No. 5411 governs confidentiality of banking and financial information and the Personal Data Protection Law (Law No. 6698) prohibits or sets limitations to the disclosure, processing and transfer of personal information, which would also include client information.

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers includes the term 'sensitive customer data' and defines it as personal data and customer security information used in issuing payment orders or verifying the identity of the customer, and which, if captured or changed by third parties, may allow fraud or fraudulent transactions on behalf of the customer. In this context, fintech companies are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data and data belonging to themselves, in the procurement of external services.

The Regulation for Disclosure of Confidential Information was published in the Official Gazette dated 4 June 2021 and was due to enter into force on 1 January 2022; however, pursuant to the Regulation Amending the Regulation for Disclosure of Confidential Information, the effective date has been amended to 1 July 2022. With the Regulation also referring to Law No. 6493, it is aimed to determine the scope, procedures and principles of the sharing and transfer of confidential bank and customer data. Within the scope of Article 73 of Law No. 5411, regulations were made regarding the confidentiality obligation, exceptions and definition of confidential customer data.

Pursuant to Personal Data Protection Board Decisions Nos. 2020/191, 2020/192, 2020/193 and 2020/194 of 3 March 2020, notifying that the data stored in the Banks Association of Turkey Risk Centre had been violated by several factoring companies, the Board imposed administrative sanctions on the factoring companies because some of their employees had transferred data collected through the Risk Centre with legally unauthorised persons.

Additionally, as per the Regulation on Banks' Information Systems and Electronic Banking Services, banks are able to benefit from cloud computing systems as an external service tool, provided that these systems are kept within Turkey in accordance with the provisions of the Regulation. As per the Communiqué on Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions, payment institutions and electronic money institutions shall mandatorily have their primary and secondary systems located in Turkey, and cloud computing must be within the scope of these systems. Therefore, if electronic money and payment institutions store data via cloud computing systems as external services, data centres must be located in Turkey.

As per the Regulation on the Independent Audit of Information Systems and Business Processes, which was published in the Official Gazette dated 31 January 2022, auditing of the information systems and business processes of the institutions under the supervision and control of the BRSA shall be made by the independent audit firms authorised within the scope of the Regulation.

Year in review

The past 18 months were unarguably remarkable for the fintech sector. The decisions of the Judges and Prosecutors Council on the establishment of specialised courts for cybercrimes and financial crimes were published in November 2021. Following these decisions, secondary legislation for payment services and electronic money issuance entered into force, and the Turkish Competition Authority published a sector report wherein the sector was examined thoroughly in the light of the new secondary legislation. Moreover, the Regulation on the Operating Principles of Digital Banks and Service Model Banking entered into force and the sector was completely reshaped following this. Within this context, the regulatory framework for the sector has been determined and established through these developments.

Additionally, the Crypto Assets Regulation introduced the regulation of cryptoassets under Turkish legislation, with the CBRT banning payments with cryptoassets. However, it is important to note that the Regulation does not prohibit trading in cryptoassets, and only eliminates their use as a payment tool.

It was a period in which remote identification was regulated in detail under Turkish law, with traditional written forms for registering new customers or establishing contractual relationships being replaced with methods utilising information or electronic communication devices.

Additionally, the Turkish Fintech Ecosystem Status Report 2021, prepared under the coordination of the Presidential Finance Office, was published in December 2021. As per the report, there were 520 fintech companies and a total of 56 accredited payment and e-money fintech companies within Turkey as at 30 December 2021.

These developments are of great significance in terms of providing services and innovative products that benefit consumers in the competitive conditions of the existing structure, as well as paving the way for new innovative initiatives in fintech ecosystems. However, it can be said that, specifically with cryptoassets, the legislation is coming from a place of distrust among regulators.

Outlook and conclusions

A developing and vibrant fintech industry is emerging in Turkey, as the financial technologies are transforming finance, business and transaction models and challenging the regulation at a constant rate. Turkish regulatory bodies closely monitor the developments and prepare reactive regulations to meet the requirements generated by the technological developments.

Although it seems that an unfriendly environment has been created with the Crypto Assets Regulation, it can be said that the government is observing the uncertainties surrounding cryptoassets, technological developments and the establishment of public acceptance, as well as the formation of uniformity within the global fintech sector for new regulations. In the face of the fact that the use of cryptocurrencies is likely to increase in the future, we expect important new regulations to be introduced within the Turkish legislation.

New regulations are being adopted that enable the entry of new actors to the fintech market, increasing cooperation with the banking sector and facilitating the development of the fintech sector in Turkey, such as the new Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers and the Regulation on the Operating Principles of Digital Banks and Service Model Banking.

In addition, studies continue within the scope of the National Fintech Strategy Document, which will reveal the action plan for the fintech ecosystem between 2022 and 2025, in accordance with the Presidential Finance Office's Turkish Fintech Ecosystem Status Report 2021. The Document, which is planned to be published later in 2022, will serve as a road map for the development of the sector.

In line with the recent developments, sub-regulations on payment services, e-money, open banking and technical standards will be formed in 2022, and the actors entering the transition process will have completed the necessary processes by the time these regulations have been formed. Taking into consideration the products and services being offered, it is safe to say that this transformation has also started to reach end users.

Finally, it is important to point out the Turkish Competition Authority's preliminary report, Financial Technologies in Payment Services, which was published in December 2021 and which evaluates the reasons for the emergence of the fintech sector. The report states that the fact that fintech companies are highly dependent on the banking infrastructure in their activities creates a vertical relationship between fintech companies and banks, and that with respect to the payment services market, each bank is in a dominant position because of the financial services companies' inability to access their own customers' data. This report may pave the way for a horizontal relationship between banks and fintech actors.

Footnotes

1 Cigdem Ayozger Ongun is a managing partner, Volkan Akbas is a managing senior associate and Deniz Erkan is a senior associate at SRP-Legal.

The Law Reviews content