The Financial Technology Law Review: Turkey
The general policy and regulatory approach in the fintech ecosystem is to ensure the establishment of a regulatory infrastructure to implement financial and information security. The essential legal and regulatory matters concerning fintech are those regarding payment services, electronic-money institutions (EMIs) and alternative funding methods. This is primarily the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, which regulates the activities and licensing of the payment systems, EMIs and payment institutions in Turkey. The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the Amendment), drafted in accordance with the requirements of the Payment Services Directive II (PSSD II) (Directive 2015/2366) stipulates a provision regarding the establishment of the Turkey Payment Services and Electronic Money Association (the Association). It is anticipated that the establishment of the Association shall have a positive impact in the development of the fintech industry. Additionally, the 11th Development Plan of Turkey, published in the Official Gazette on 23 July 2019, includes objectives directly related to Turkish financial technologies ecosystem. The government's road map which is planned to be created accordingly, will be shaping the current Turkish fintech ecosystem and create a more secure fintech ecosystem in line with international best practices. Turkey has also recently adopted legislation regarding alternative funding methods, mainly different types of crowdfunding.
As for digital information sources regarding fintech, the Turkish Financial Crimes Investigation Board (MASAK), provides guidance and education on the matter. MASAK has also issued Sectoral Guidance Notes addressing financial institutions and banks; however, these do not yet specifically address fintech companies.
Both the government and regulators provide support to financial innovation, but this support is not specifically directed to the financial industry in most circumstances. This support is provided to entities that meet specific criteria. For instance, the incorporation of an entity within a special economic zone (i.e., tech development zone) with its primary business activity listed as technology would qualify the said entity for tax benefits. The Technology Development Law governs this field and provides for lower corporate income tax, withholding tax, income tax exemptions, employer social security contribution support payments and value added tax exemptions.
A developing and vibrant fintech climate exists in Turkey, the regulatory approach may be described as fintech-friendly, although cryptoassets are yet to be defined under Turkish legislation. The market is open for new investments. Electronic payment institutions and EMIs have emerged as new sectors in financial intermediation. As of February 2020, there are 34 licensed payment institutions and 18 EMIs. Technological innovation, accelerating the increase in the number of electronic and mobile payments providers and the emergence of new types of payment services in the fintech market have resulted in regulatory changes. The Amendment, which entered into force on 1 January 2020, contributes to the development of an innovation climate in the fintech ecosystem as it introduces new types of payment services.
i Licensing and marketing
Turkey regulates a comprehensive scope of financial services and activities. Financial institutions are obliged to obtain authorisation from relevant regulators (i.e., the Banking Regulation and Supervision Agency (BRSA), the Capital Markets Board (CMB) and the Treasury) to be incorporated and conduct financial activities. Licensing requirements apply in all cases that involve the provision of payment and e-money services. The market is highly regulated and there are significant financial barriers of entry into the market. Payment services and e-money services can solely be offered if the provider is a licensed entity. This being said, a licensed entity can be incorporated to offer payment services only if it is incorporated as: a financial institution that falls under the definition of a bank as listed within Turkey's banking legislation (namely the Banking Law), an EMI or a payment services provider.
According to the Amendment, the Central Bank of the Republic of Turkey (CBRT) is the authorised body to supervise and regulate e-money and payment service providers instead of BRSA. In addition to the CBRT, MASAK also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.
Sale and marketing of financial services and products may fall under the supervision of the CMB or the BRSA. The CMB's Communiqué on Principles on Investment Services and Activities and Ancilliary Services No. III-37.1 (the Investment Services Communiqué) and the BRSA's Regulation on Bank's Procurement of Support Services impose certain restrictions on financial service providers as well as the vendors providing the sales and marketing of financial services in Turkey.
Pursuant to Article 12 of the Investment Services Communiqué, intending advertisement and marketing activities directly or through persons or institutions residing in Turkey with respect to investment services provided by the institutions residing abroad, shall be deemed to be intended for the persons residing in Turkey, and shall also be subject to restrictions.
Automated digital advice is not specifically regulated under the Turkish legislation; however, if the advisory service to be carried is in relation to a regulated financial activity, regardless of its form – either digital or in person – it may be subject to an authorisation or an exemption.
The Regulation on Establishment and Activities of Asset Management Companies, Article 6, sets forth that asset management companies must obtain authorisation from the CMB prior to their establishment in order to carry out their activities.
Providing credit references or credit information services in Turkey is a regulated activity under the Banking Law. A Risk Centre is established within the Banks Association of Turkey for the purpose of collecting the risk data and information of clients of credit institutions and other financial institutions to be deemed eligible by the Banking Regulatory and Supervisory Board, and ensuring that such information is shared with said institutions or with the relevant persons or entities themselves or with real persons and private law legal entities if approved.
Kredi Kayıt Bürosu (KKB) founded under Article 73/4 of the Banking Law conducts all operational and technical activities through its own organisation as an agency of the Risk Center of the Banks Association of Turkey and provides data collection and sharing services to 180 financial institutions that are members of the Risk Centre.
ii Cross-border issues
Under Turkish law, a licence to provide financial services in Turkey cannot be obtained unless the company is governed by the Turkish law. Turkey is not a member of the EU (though a candidate in the negotiations for full membership) or the European Economic Area, nor a party to an agreement for passporting financial services across Europe. Therefore, a Turkish financial institution cannot passport its authorisation into the European Economic Area Member States or any other jurisdiction, and reciprocally foreign financial institutions cannot operate without required licences in Turkey.
The Communiqué on Foreign Capital Market Instruments, Depository Receipts and Foreign Investment Fund Shares published by the Turkish Capital Market Authority No. VII.128.4 includes certain requirements that must be fulfilled by the issuer. Some of these can be included as regulated activities that may be passported into the Turkish jurisdiction. However, a general application of passporting of regulated activities into the Turkish jurisdiction is not possible.
A fintech company is required to be incorporated and licensed in the local Turkish jurisdiction. Apart from being licensed by the Banking Regulation and Supervisory Authority, it must be incorporated as a corporation, with minimum capital requirements, and there are limitations on controlling ownership of shares and share transfers. Said requirement also applies to companies that provide cross-border services and products, and whether the products are actively marketed or the client in the jurisdiction solicits the service or product is not relevant.
Pursuant to the Direct Foreign Investment Law and the Banking Law, there are no restrictions or limitations on ownership of companies by foreigners. On the contrary, direct foreign investments are promoted by the former.
Digital identity and onboarding
There is no official national digital identity in Turkey for the time being as type of a foundational identification system. There is no specific regulation regarding digital identity in the Turkish legislation. However, there are separate pieces of legislation concerning electronic capture and storage attributes or credentials that may uniquely identify a person and create a digital identity. The Electronic Signature Law lays out the principles regarding digital identification. Following the Electronic Signature Law, the Communiqué on Electronic Signature and Relevant Procedures and Technical Criteria (the Electronic Signature Communiqué) has also set a technical basis regarding the electronic signature that may be used in the creation of a digital identity.
As per the Electronic Signature Law, electronic signatures may be issued by electronic certificate service providers, which may be established as public or private entities.
The scope of the use of digital identity has not been regulated; however, it is anticipated by the Information and Communication Technologies Authority that electronic signatures will be used for all kind of applications (e.g., placement exams and passports), inter-institution communication (police departments, General Directorate of Civil Registration and Nationality), social security applications, health applications (health personnel, hospitals and pharmacies), tax payments, electronic voting systems, online banking, insurance transactions, e-agreements and online orders. In addition, there are several examples of functional identification systems supplied by mobile network providers and digital operators provide blockchain service for identity management.
There are a couple of regulatory challenges as to the implementation of fully digitalised onboarding of clients. Laws in Turkey require a written signature to accept someone as a bank customer. In addition, know your customer (KYC) requirements stipulate the application of customer identification on a face-to-face basis. Although there are some regulatory draft proposals that may pave the way for digital onboarding of financial customers in the future, it is not legally permissible to use video technologies for the implementation of KYC either. Therefore, these regulatory requirements are making it hard to design a seamless digital onboarding process for financial service providers to carry out fully digitalised onboarding.
Digital markets, payment services and funding
There is no specific regulation governing cryptoassets, and the debate regarding the legal definition of cryptoassets continues. The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and its supplemental secondary legislation regulates the market and the concepts such as e-money, digital wallets, and digital currencies. Due to a lack of agreement among regulatory and supervisory authorities, the status of cryptoassets is yet to be defined under Turkish law. If cryptoassets are considered a security, the Law on Capital Markets shall be the governing legislation; however, if cryptoassets are defined in a way similar to e-money, then Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions shall be the governing legislation.
The general rules and principles regarding investment funds are mainly regulated under Law on Capital Markets. The Capital Markets Board (CMB) regulated further details regarding the establishment and activities of investment funds under the Communiqué on the Principles of Investment Funds (III.52.1) (the Investment Funds Communiqué) and also introduced the Investment Funds Guide (the Guide) with Resolution No. 19/614, in order to clarify the rules and principles stipulated in the Communiqué. The Communiqué Amending the Investment Funds Communiqué (the Amending Communiqué) entered into force upon its publication in the Official Gazette on 12 March 2019, and the Guide was also amended on the same date to reflect the changes introduced through the Amending Communiqué.
The legislation governing the scheme of crowdfunding is newly emerging in Turkey. The Communiqué on Equity Based Crowdfunding (the Crowdfunding Communiqué) was published in the Official Gazette on 3 October 2019 and designates the CMB of Turkey as the supervisory regulatory authority. Providing alternative finance products, services, and collective investment methods fall under the scope of the Crowdfunding Communiqué. In addition to that, credit lines and loans are not listed as permissible services to be offered by payment service providers and EMIs since the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions sets strict prohibitions on the permissibility of offering credit lines or loans by payment service providers or EMIs.
The Banking Law Amendment, which was published in the Official Gazette on 25 February 2020 and became effective on the same day, introduced the concept of crowd-lending by the inclusion made to the Capital Markets Law. Accordingly, the CMB is empowered to make a determination regarding crowdfunding activities by collecting money from the public based on partnership or borrowing. However, since the secondary legislation regarding crowd-lending has not yet been drafted, there are no specific regulations regarding requirements, restrictions and licensing issues. Additionally, peer-to-peer lending is not currently regulated in a manner synonymous with the definition found under PSD II.
As per the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, payment services and e-money services can solely be offered if the provider is a licensed entity and has been incorporated as a financial institution, an EMI or a payment services provider.
There are significant duties levied upon financial institutions regarding the duty of confidentiality within the Turkish legislation, namely the Banking Law, the Turkish Commercial Code, the Turkish Criminal Code and the Personal Data Protection Law. This duty limits the sharing of data in a manner that would be considered as promoting competition. However, according to the Regulation Detailing the Principles and Procedures on Accounting Practices and Document Retention and the Communiqué on Financial Charts and Explanations and Footnotes to be Made Public, banks and financial institutions must make banking data available to the BRSA. Article 9 of the Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, stipulates that the CBRT is empowered to enact secondary legislation that may require payment service providers to share data with other payment service providers.
The Amendment extends the list of payment services by introducing the definitions of 'payment initiation services' and 'account information services'. However, the banks would not be legally required to offer third-party providers access to their customers' accounts via open application programming interfaces (APIs), as long as the CBRT does not issue a secondary legislation on data sharing practices. Nevertheless, some Turkish banks have already released their APIs to promote third-party developers.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no specific regulation governing cryptocurrencies, but there are no specific provisions under Turkish legislation that prohibit individuals from owning and exchanging cryptocurrencies. Turkish legislators have not identified a category for cryptocurrencies or tokens and not yet enacted any special rules for the legal treatment of cryptocurrencies. Despite the fact that there is no legislation governing cryptocurrencies, there exist several cryptocurrency exchange platforms operating in the Turkish fintech ecosystem.
There is no specific regulation governing initial coin offerings (ICO) or token generation events either. However, as mentioned above, if in the future cryptoassets are classified as securities, the Law on Capital Markets shall be the governing legislation, and thus the criteria stipulated under this law shall apply. However, the CMB has not yet classified or assessed security tokens.
Since tokens are not classified or regulated under the Turkish legislation, tokens may not be linked to underlying assets, and shares and bonds may not be issued in the form of a token.
Turkish anti-money laundering legislation, namely the Law on Preventing Laundered Criminal Income and its supplemental regulations, requires that fintech companies (dealing with cryptocurrency and tokens) implement procedures to combat bribery. The appointment of a compliance officer, identity verification of account holders, together with reporting of suspicious transactions are commonplace requirements the regulation imposes upon fintech companies. MASAK also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.
Since cryptocurrencies and tokens are not regulated in Turkish legislation, it is not possible to impose tax on such exchanges. In order to be able to impose tax on cryptocurrencies and tokens, first they must be defined under legislation and the tax law must be amended to include them. If cryptocurrencies were to qualify as commodities in Turkey, the income derived from the exchange of said cryptocurrencies would be subject to income tax. However, for the time being, gains derived from cryptocurrencies are not included within the types of income subject to income tax.
There is no regulation allowing or restricting the offering of tokens to residents from abroad.
Other new business models
Pursuant to the Law of Obligations, for a contract to be legally binding, there has to be an offer and an acceptance, and the parties should intend said contract to be legally binding. Given the nature of self-executing contracts, without separate legislation to regulate them, their enforceability may be challenged on the grounds that they restrict parties' negotiation power over the terms and conditions of an agreement. In addition, self-executing contracts are not legally enforceable for formal contracts specified by certain laws (e.g., real estate contracts and vehicle sales agreements).
There is no regulation regarding artificial intelligence (AI) under Turkish legislation; however, the Digital Transformation Office, structured under the Presidency, has been assigned the task of leading the AI transformation process.
Product price comparison websites are not specifically regulated under Turkish legislation and general law principles shall apply.
Equity-based crowdfunding has been introduced as a new business model as per the Communiqué on Equity Based Crowdfunding (the Crowdfunding Communiqué), which was published in the Official Gazette on 3 October 2019, the scope of the Crowdfunding Communiqué includes providing alternative finance products, services and collective investment methods. The Crowdfunding Communiqué regulates equity-based and share-based crowdfunding, and fundraising from the public through equity-based crowdfunding. As per the Banking Law Amendment, the initial steps for the regulation of lending-based crowdfunding have also been taken.
The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions broadened the scope of the list of payment services by introducing the definitions of 'payment initiation services' and 'account information services'. This paved the way for financial institutions to offer third-party providers access to their customers' accounts via open APIs. Some Turkish banks have already released their APIs to promote third-party developers.
Intellectual property and data protection
Turkey does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilised for protecting ownership rights over software. Copyright protection is a natural protection offered to the creator starting from the moment the property is offered or made available to the public. There is no application similar to that of a patent application that is required of a copyright holder.
A patent establishes protection over the invention and grants property rights over it. After submission to the local patent office, a patent will be assessed and upon successful display of the patent holder's claims of novelty and function, a patent right will be granted. However, business methods and software-implemented inventions cannot be comprised under patent protection.
There are two distinct regulations regarding the duty of confidentiality. The first piece of legislation, which governs confidentiality of banking and financial information, is the Banking Law. The second is the Personal Data Protection Law, which prohibits or sets limitations on the disclosure, processing and transfer of personal information (that would also include client information).
Additionally, payment service providers and EMIs are subject to the duty to transfer financial data to the BRSA regarding what the Banking Law defines as 'banking data'. The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, states that the CBRT holds the right to enact secondary legislation that may require payment service providers to share data with other payment service providers.
However, pursuant to the Banking Law Amendment published on 25 February 2020, save for the mandatory provisions of the relevant legislation, client information has been specified as a client secret and the criteria regarding processing and transfer of said information shall be realised in accordance with the Personal Data Protection Law. Even in cases where the client grants explicit consent regarding the processing of his or her personal data, this data may not be transferred or shared domestically or abroad without the explicit request or order of the client.
Year in review
One of the most important developments affecting the fintech industry in the last 18 months was the decision of the Competition Board to revoke the exemption rights granted to the Interbank Card Center (ICC) and the activities it performed under the ICC Express brand, where it acted as a payment service provider, a digital wallet and a payments data house. Since the original licence granted to ICC Express was regarding permission to act as a clearinghouse for exchanges and authorisation transactions, when ICC Express started to provide other services outside this scope its licence was revoked upon the decision of the Competition Board dated 30 May 2019. The revocation of this licence, not effective until mid-2020, presents a risk as to how antitrust provisions may be applied to fintech companies that participate in their designated markets via an exchange.
The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, which authorises the CBRT instead of the BRSA to supervise and regulate e-money and payment service providers, is also of an important nature. The said Amendment is also relevant to the development of the fintech industry as it introduces new types of payment services namely account information services and payment initiation services.
The introduction of equity-based crowdfunding as per the Crowdfunding Communiqué, which provides alternative finance products, services and collective investment methods; and the initial steps regarding lending-based crowdfunding being taken pursuant to the Law on the Banking Law Amendment are other developments worth mentioning.
One of the most important indicators of the health of the fintech ecosystem of Turkey in 2019 was the number of start-ups that made successful exits. Eight fintech start-ups exited successfully in 2019, which shows that foreign investors have renewed their interest in Turkey and this has created momentum in the industry.
Outlook and conclusions
Despite the absence of an applicable legal framework, a vibrant fintech industry is developing in Turkey. Fintech is transforming finance, business and transaction models, and challenging the regulations constantly. Turkish regulatory bodies are closely monitoring the developments and preparing regulations to react to and meet the requirements generated by the technological developments.
From a regulatory perspective, there is no specific definition of cryptoassets and no restrictions on engaging in cryptocurrency transactions in Turkey. There have been developments in the legal and regulatory landscape for equity-based crowdfunding, lending-based crowdfunding, open banking and the protection of client information. New regulations are being adopted that enable the entry of new actors into the fintech market, increase cooperation with the banking sector and facilitate the development of fintech in Turkey. These include the recent Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, which reorganises the regulatory framework for payment and electronic money services and introduces new definitions of account information services and payment initiation services in line with the PSD II.
1 Cigdem Ayozger Ongun is a managing partner, Filiz Piyal is a managing senior associate and Deniz Erkan is an associate at SRP-Legal.