The Financial Technology Law Review: Turkey
The general policy and regulatory approach in the fintech ecosystem is to ensure the establishment of a regulatory infrastructure to implement financial and information security. The essential legal and regulatory matters concerning fintech are those regarding payment services, e-money institutions and alternative funding methods. This is mainly the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493), which regulates the activities and licensing of the payment systems, electronic money institutions and payment institutions in Turkey. The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) drafted in accordance with the requirements of the Payment System Services Directive II (Directive 2015/2366) (Amendment) stipulates a provision regarding the establishment of the Turkey Payment Services and Electronic Money Association (the Association). It is anticipated that the establishment of the said Association shall have a positive impact on the development of the fintech industry. Additionally, the 11th Development Plan of Turkey, published in the Official Gazette dated 23 July 2019, includes objectives directly related to the Turkish financial technology ecosystem. The government's roadmap, which is planned to be created accordingly, will shape the current Turkish fintech ecosystem and create a more secure fintech ecosystem in line with international best practices. Also, recently Turkey has adopted legislation regarding alternative funding methods, mainly different types of crowdfunding.
As for digital information sources regarding fintech, the Turkish Financial Crimes Investigation Board, namely MASAK, provides guidance and education on the matter. MASAK has also issued Sectoral Guidance Notes addressing financial institutions and banks; however, these do not yet specifically address fintech companies.
The Communiqué on the Amendment of the 'Financial Crimes Investigation Board General Communiqué (No: 5)' (No: 18) (the Communiqué) was published in the Official Gazette dated 26 February 2021 and numbered 31407 and will enter into force as of 1 May 2021. Pursuant to the Communiqué, the upper limits of transactions for electronic money institutions that do not require identification have been increased.
The Regulation Amending the Regulation on Measures to Prevent Money Laundering and Terrorist Financing (the Regulation) was published in the Official Gazette dated 26 February 2021 and numbered 31407, and will enter into force as of 1 May 2021. As per the Regulation, the Ministry of Treasury and Finance of Turkey is authorised to determine the methods to be applied in remote identification and other measures within the scope of customer identification, as well as other types of transactions that can be identified remotely by obliged parties. In the trust agreements established abroad, explanations for identification and the procedures and principles to be operated are included. In the message chain from the financial institution where the transfer order is given to the financial institution that will make the payment, the institutions concerned must include information in the electronic transfer messages regarding the sender and pay special attention to the transfer of this information at every stage of the transfer.
Both the government and regulators provide support to financial innovation; however, this support is not specifically financial industry-based under most circumstances. This support is provided to entities that meet specific criteria. For instance, the incorporation of an entity within a special economic zone (i.e., tech development zone) with its primary business activity listed as technology would qualify the said entity for tax benefits. A specific legislation governs this field; the Technology Development Law (Law No. 4691) provides lower corporate income tax, withholding tax, income tax exemptions, employer social security contribution support payments, and value added tax exemptions. According to the Presidential Decree No. 2834, published in the Official Gazette dated 8 August 2020 and numbered 31207, as of 8 August 2020, the rate of Bank and Insurance Transactions Tax (BITT) is applied at zero per cent in foreign exchange sales to foreign resident organisations that perform at least one of the activities accepted as financial institution activities in accordance with the Banking Law No. 5411.
A developing and vibrant fintech climate exists in Turkey. The regulatory approach may be described as fintech-friendly, although crypto assets are yet to be defined under Turkish legislation. The market is open for new investments. Electronic payment institutions and electronic money institutions have emerged as new sectors in financial intermediation. As of February 2021, there are 33 licensed payment institutions and 22 e-money institutions (EMI). Technological innovation, accelerating the increase in the number of electronic and mobile payments providers and the emergence of new types of payment services in the fintech market have resulted in regulatory changes. The amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the Amendment) which entered into force on 1 January 2020, contributes to the development of an innovation climate in the fintech ecosystem as it introduces new types of payment services.
i Licensing and marketing
Turkey regulates a comprehensive scope of financial services and activities. Financial institutions are obliged to obtain authorisation from relevant regulators (i.e., the BRSA, Capital Markets Board (CMB) and the Treasury) to be incorporated and conduct financial activities. Licensing requirements apply in all cases that involve the provision of payment and e-money services. The market is highly regulated and there are significant financial barriers of entry into the market. Payment services and e-money services can solely be offered if the provider is a licensed entity. A licensed entity can be incorporated to offer payment services only if it is incorporated as a financial institution that falls under the definition of a bank as listed within Turkey's banking legislation (namely the Banking Law No. 5411), an electronic money institution or a payment services provider.
As of 1 January 2020, pursuant to the Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 7192), the Central Bank of the Republic of Turkey (CBRT) has become the authorised body to supervise and regulate e-money and payment service providers instead of the BRSA. In addition to the CBRT, MASAK also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.
Sale and marketing of financial services and products may fall under the supervision of the CMB or BRSA. The CMB's Communique on Principles on Investment Services and Activities and Ancillary services numbered III-37.1 (the Communiqué) and the BRSA's Regulation on Banks' Procurement of Support Services impose certain restrictions on financial service providers as well as the vendors providing the sales and marketing of financial services in Turkey.
Pursuant to Article 12 of the Communiqué, advertisement and marketing activities directly or through persons or institutions residing in Turkey with respect to investment services provided by the institutions residing abroad shall be deemed to be intended for the persons residing in Turkey, and shall also be subject to restrictions.
Automated digital advisory is not specifically regulated under Turkish legislation; however, if the advisory services to be carried out are in relation to a regulated financial activity, regardless of its form, either digital or in person, such advisory activities, depending on the type and content, may be subject to an authorisation or an exemption.
The Regulation on Establishment and Activities of Asset Management Companies Article 6 sets forth that asset management companies must obtain authorisation from the CMB prior to their establishment to carry out their activities. According to the Banking Law and the Financial Leasing Law, only the entities with a licence granted by the BRSA may legally conduct lending activities. However, following the entry into force of the Law No. 7192, the new licences will be granted by the CBRT as of 1 January 2021.
Providing credit references or credit information services in Turkey is a regulated activity under the Law No. 5411. A Risk Centre is established within the Banks Association of Turkey for the purpose of collecting the risk data and information of clients of credit institutions and other financial institutions to be deemed eligible by the Banking Regulatory and Supervisory Board, and ensuring that such information is shared with said institutions or with the relevant persons or entities themselves or with real persons and private law legal entities if approved. Kredi Kayıt Bürosu (KKB) founded as per the Article 73/4 of the Banking Law (Law No. 5411) conducts all operational and technical activities through its own organisation as an agency of the Risk Centre of the Banks Association of Turkey and provides data collection and sharing services to 180 financial institutions that are members of the Risk Centre.
ii Cross-border issues
Under Turkish law, a licence to provide financial services in Turkey cannot be obtained unless the company is governed by Turkish law. Turkey is not a member of the European Union (EU) (but a candidate in the negotiations for full membership) or the European Economic Area (EEA), or a party to an agreement for passporting financial services across Europe. Therefore, a Turkish financial institution cannot passport its authorisation into the EEA Member States or any other jurisdiction, and reciprocally foreign financial institutions cannot operate without required licences in Turkey.
The Communiqué on Foreign Capital Market Instruments, Depository Receipts, and Foreign Investment Fund Shares published by the Turkish Capital Market Authority No. VII.128.4 includes certain requirements that must be fulfilled by the issuer. Some of these can be included as regulated activities that may be passported into the Turkish jurisdiction. However, a general application of passporting of regulated activities into the Turkish jurisdiction is not possible.
A fintech company is required to be incorporated and licensed in the local Turkish jurisdiction. Apart from being licensed by the Central Bank of the Republic of Turkey, it needs to be incorporated as a corporation, with minimum capital requirements (approximately US$285,000) and there are limitations on controlling ownership of shares and share transfers. Said requirement also applies to companies that provide cross-border services and products and whether the products are actively marketed or the client in the jurisdiction solicits the service or product is not relevant.
Pursuant to Turkish Direct Foreign Investment Law (Law No. 4875) and the Banking Law (Law No. 5411), there are no restrictions or limitations on ownership of companies by foreigners. On the contrary, direct foreign investments are promoted through Law No. 4875.
The Personal Data Protection Authority's decision dated 23 June 2020 and numbered 2020/471 has confirmed that a foreign bank with a representative office in Turkey shall be regarded as a Data Controller under the Data Protection Law and it shall register with the Data Controllers' Registry (VERBIS).
Additionally, the financial group term has been defined in Article 2 of the Law on the Prevention of Laundering Proceeds of Crime with the amendment made pursuant to Article 20 of The Law No. 7262 on Preventing Financing of Proliferation of Weapons of Mass Destruction (Law No. 7262) dated 27 December 2020. The term has been defined as also including foreign-based financial companies. The aforementioned definition has been stipulated to comply with the regulation on 'financial groups' for which new obligations have been imposed within the scope of Article 5 of the Law for Preventing Laundered Criminal Income (Law No. 5549). Article 5 of the Law No. 5549 regulates that the companies affiliated to the financial group may share information within the group regarding the accounts and transactions with the recognition of the customer to ensure that the specified measures are taken at the group level. Information sharing cannot be avoided by putting forward the provisions in special laws.
Digital identity and onboarding
There is no official national digital identity in Turkey for the time being, as a type of foundational identification system. There is no specific regulation regarding digital identity in the Turkish legislation. However, there are separate pieces of legislation concerning the elements of electronically capturing and storage attributes or credentials that may uniquely identify a person and create a digital identity. The Electronic Signature Law (Law No. 5070) lays out the principles regarding digital identification. Following the Law No. 5070, the Communiqué on Electronic Signature and Relevant Procedures and Technical Criteria has also set a technical basis regarding the electronic signature that may be used in the creation of a digital identity.
Pursuant to Law No. 7247 on Amendments to Certain Laws and Statutory Decrees (Law No. 7247), published in the Official Gazette dated 26 June 2020 and numbered 31167, the need to meet face-to-face was eliminated for the first time while establishing a contractual relationship between financial institutions and potential customers, paving the way for the process to start and end in a digital environment.
The Law on Technology Development Zones and Amendments to Certain Laws (Amending Law) was published in the Official Gazette dated 3 February 2021 and numbered 31384, amending the Law No. 5070. Pursuant to the Amending Law, an electronic stamp defined as an evidence record that guarantees the origin and integrity of the electronic document or data that was created by the stamp owner, and it has become possible that the electronic stamp will be used to carry out certification processes without needing a physical document. Public institutions and organisations, public administrations, public professional organisations and higher organisations, public and private legal entities, judicial authorities and notaries will be able to use electronic stamps. Additionally, with the website verification certificate, an important step has been taken to ensure information security on the internet. Provisions in the legislation on electronic signatures shall also apply to electronic stamps, website authentication certificates and other electronic certificates by analogy. As per Law No. 5070, electronic signatures may be issued by electronic certificate service providers, which may be public entities or private entities.
Relevantly, the term 'open banking' has been defined for the first time in the Banks' Information Systems and Electronic Banking Services (the Regulation) published in the Official Gazette, 15 March 2020 and numbered 31069. The effective date of the Regulation, which also refers to sharing via application programming interface (API), has been determined as 1 January 2021. Pursuant to the Regulation, remote identification and digital onboarding have been regulated for the first time. Open banking services may be used for digital identity. It is known that the regulatory works by MASAK that will allow remote identification during account openings are pending. The Draft Communiqué on Remote Identification Methods to be Used by Banks (the Draft Communiqué) drafted by the BRSA to determine remote identification methods was published on the BRSA's website on 21 September 2020. Currently, the Draft Communiqué is rearranged within the scope of the opinions obtained and conveyed to the sector organisations; it is foreseen that it will enter into force in 2021.
Digital markets, payment services and funding
There is no specific regulation governing crypto-assets, and the debate regarding the legal definition of crypto-assets continues. The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) and its supplemental secondary legislation regulates the market and the concepts such as e-money, digital wallets and digital currencies. Because of the lack of agreement among regulatory and supervisory authorities, the status of crypto assets is yet to be defined under Turkish law. In the case crypto assets are considered a security, the Law on Capital Markets (Law No. 6362) shall be the governing legislation; however, if crypto assets are defined in a way similar to e-money, then Law No. 6493 shall be the governing legislation.
One of the most recent developments is the Instant and Continuous Transfer of Funds (ICTF) system that is the new generation instant retail payment application (available all day, and every day) that has been announced by the CBRT. The system has been brought into service as of 8 January 2021. With the ICTF System, the Easy Addressing System that allows the electronic payment system to be used in a practical and easy way through using the Turkish Republic Identity Number, with telephone number and email address supplied. This development in retail payment system infrastructure constitutes an important element for paving the way towards supporting innovative fintech and business models.
CBRT has also established Turkey's QR code standards, and the Regulation on the Generation and Use of TR QR Code in Payment Services (QR Code Regulation) including its annex TR QR Code Rules and Principles drafted as part of the same initiatives have entered into force following their publication in the Official Gazette dated 21 August 2020 and numbered 31220. The QR Code Regulation stipulates the procedures and principles regarding the payment transactions that are within the scope of payment services rendered by using a QR code. A QR code is required in every payment transaction rendered by using a QR code, which is within the scope of the payment services in accordance with the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493).
The general rules and principles regarding investment funds are mainly regulated under Law No. 6362. The CMB has regulated further details regarding the establishment and activities of investment funds under the Communiqué on the Principles of Investment Funds (III.52.1) (the Communiqué) and has also introduced the Investment Funds Guide (the Guide) with its resolution numbered 19/614, to clarify the rules and principles stipulated in the Communiqué. The Communiqué Amending the Communiqué (III-52.1.c) (Amending Communiqué) entered into force upon its publication in the Official Gazette dated 12 March 2019 and the Guide has also been amended on the same date to reflect the changes introduced through the Amending Communiqué.
The legislation governing the scheme of crowdfunding is newly emerging in Turkey. The Communiqué on Equity Based Crowdfunding (Crowdfunding Communiqué) was published in the Official Gazette dated 3 October 2019 and designates the CMB as the supervisory regulatory authority. As per the Communiqué, only the platforms authorised and listed by the CMB may carry out equity-based crowdfunding activities. Providing alternative finance products, services and collective investment methods falls under the scope of the Crowdfunding Communiqué. In addition to that, credit lines and loans are not listed as permissible services to be offered by payment service providers and electronic money institutions because the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) sets strict prohibitions to the permissibility of offering these.
As per the Law No. 7222 on the Amendment of Banking Law and Some Other Laws (Amending Law), which was published in the Official Gazette dated 25 February 2020 and numbered 31050 and came into force on the same date, introduced the concept of crowd-lending by the inclusion made to the Law No. 6362. With regard to crowdfunding, with the amendment made in the first paragraph of article 35/A of the Law No. 6362, the CMB is empowered to make a determination regarding crowdfunding activities by collecting money from the public based on partnership or lending. Hence, establishing the legal basis of the lending-based crowdfunding model.
As per the Amending Law, the provisions of the banking legislation shall not be applied for the financing provided through lending-based crowdfunding and shall not be considered as deposit or participation fund acceptance. This situation may bring an alternative to conventional and participation banking models, especially in financing innovative projects with industrial and technology companies. In addition, with the amendments made in Article 35/A of the Law No. 6362, the responsibility regarding the information form on the crowdfunding transactions has been clarified and venture companies, whose shares are monitored in record, are now allowed to hold general assembly meetings electronically. The CMB is continuing the work on secondary regulations on equity-based crowdfunding.
Additionally, peer-to-peer lending is not currently regulated in a manner synonymous with the definition found under Payment Services Directive II (PSD II). However, lending-based crowdfunding platforms, which can be considered peer-to-peer lending, have just been regulated as mentioned; although a communiqué for these platforms has not yet been prepared by the CMB.
As per the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, payment services and e-money services can solely be offered if the provider is a licensed entity and has been incorporated as a financial institution, an electronic money institution or a payment services provider.
There are significant duties levied upon financial institutions regarding the duty of confidentiality within the Turkish legislation, namely the Banking Law, the Turkish Commercial Code, Turkish Criminal Code and Personal Data Protection Law. This duty limits the sharing of data in a manner that would be considered as promoting competition. However, there are various regulations, such as the Regulation Detailing the Principles and Procedures on Accounting Practices and Document Retention and the Communiqué on Financial Charts and Explanations and Footnotes to be Made Public. According to said regulations, banks and financial institutions must make banking data available to the BRSA. However, Article 9 of the Law No. 7192 that introduced a variety of amendments to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) (the Amendment) stipulates that the CBRT is vested with the power to enact secondary legislation that may require payment service providers to share data with other payment service providers. The Amendment extends the list of payment services by introducing the definitions of 'payment initiation services' and 'account information services'. However, the banks would not be legally required to offer third-party providers access to their customers' accounts via open APIs, as long as the CBRT does not issue a secondary legislation on data sharing practices. Nevertheless, some Turkish banks already release their APIs to promote third-party developers.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no specific regulation governing cryptocurrencies; however, there are no specific provisions under the Turkish legislation that prohibit individuals from owning and exchanging cryptocurrencies. Turkish legislators have not identified a category for cryptocurrencies or tokens and have not yet enacted any special rules for the legal treatment of cryptocurrencies. Despite the fact that there is no legislation governing cryptocurrencies, there exist several cryptocurrency exchange platforms that operate in the Turkish fintech ecosystem.
There is no specific regulation governing initial coin offerings (ICO) or token generation events either. However, as mentioned above, if in the future crypto assets are classified as security, the Law on Capital Markets (Law No. 6362) shall be the governing legislation, and thus the criteria stipulated under Law No. 6362 shall apply. However, the CMB has not yet classified or assessed security tokens.
Because tokens are not classified or regulated under Turkish legislation, tokens may not be linked to underlying assets, and shares and bonds may not be issued in the form of a token. Turkish anti-money laundering (AML) legislation, namely the Law for Preventing Laundered Criminal Income (Law No. 5549) and its supplemental regulation, requires that fintech companies (dealing with cryptocurrency and tokens) implement procedures to combat bribery. The appointment of a compliance officer, identity verification of account holders, together with reporting of suspicious transactions are commonplace requirements the regulation imposes upon fintech companies. MASAK also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.
Once again, because cryptocurrencies and tokens are not regulated in the realm of Turkish legislation, it is not possible to impose tax on such exchanges. To be able to impose tax on cryptocurrencies and tokens, firstly these must be defined under the legislation and the Tax Law has to be amended in a comprehensive manner. If cryptocurrencies were to be qualified as a commodity in Turkey, the income derived from the exchange of said cryptocurrencies would be subject to income tax. However, for the time being gains derived from cryptocurrencies are not included within the types of income that are subject to income tax.
There is no regulation allowing or restricting the offering of tokens to residents from abroad.
Other new business models
Pursuant to Turkish Law of Obligations (Law No. 6098) for a contract to be legally binding, there has to be an offer and an acceptance, and the parties should have the intention of said contract being legally binding. Because of the nature of self-executing contracts, without separate legislation to regulate said contracts, their enforceability may be challenged on the grounds that they restrict parties' negotiation power over the terms and conditions of an agreement. In addition, self-executing contracts are not legally enforceable for the formal contracts specified by certain laws (e.g., real estate contracts, vehicle sales agreements).
There is no regulation regarding artificial intelligence under Turkish legislation, however the Digital Transformation Office, structured under the Presidency, has been granted with the task to lead the AI transformation process.
Product price comparison websites are not specifically regulated under Turkish legislation; however, general law principles shall apply.
Equity-based crowdfunding has been introduced as a new business model as per the Communiqué on Equity Based Crowdfunding (the Communiqué), which was published in the Official Gazette dated 3 October 2019. The scope of the Communiqué includes providing alternative finance products, services and collective investment methods. The Communiqué regulates equity-based or share-based crowdfunding and fund-raising from the public through equity-based crowdfunding. Also, as per Law No. 7222 on the Amendment of Banking Law and Some Other Laws (Amending Law) published in the Official Gazette dated 25 February 2020, the initial steps for the regulation of lending-based crowdfunding have also been taken. With the amendment made to Article 35/A of the Law on Capital Markets (Law No. 6362), the provisions of the banking legislation are not applicable to lending-based crowdfunding. The CMB is authorised to determine the principles and procedures regarding the control and inspection of the organisations of the crowdfunding platforms, their partners, share transfers, employees, the maximum limit of the money that can be invested by each fund provider or collected by the project owners and venture companies, and the other principles that they must comply with during their activities. It has also been stipulated that crowdfunding platforms shall not be subject to the provisions of the Capital Markets Law regarding publicly held corporations, public offerings, issuers, the obligations of issuing prospectuses and issuance documents, investment services and activities, ancillary services and exchanges, market operators and other organised marketplaces. Finally, secondary regulation works carried out by the CMB on crowdfunding platforms are shaped within the framework of the project entitled Giving Support to the Preparation of Secondary Legislation Relating to Crowdfunding in Turkey for analysing studies on foreign practices and models that can be applied in Turkey.
Portfolio management companies that are required to be established as joint-stock companies, operate and manage alternative investment funds (AIFs) on behalf of their investors. A participation share as a consideration is exchanged for the service of the portfolio management companies. Managers of AIFs shall comply with the Communiqué on Portfolio Management Companies and Activities of Such Companies (III-55.1) issued by the Capital Markets Board. However, fintech companies do not fall under the scope of the legislation concerning alternative investment fund managers.
Intellectual property and data protection
The Turkish jurisdiction does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilised for protecting ownership rights over software. Copyright protection is a natural protection that is offered to the creator initiating from the moment the property is offered or made available to the public. There is no application similar to that of a patent application that is required of a copyright holder.
A patent establishes a protection over the invention and grants property rights over it. A patent, after a submission to the local patent office, will be up for assessment and upon a successful display of the patent holders' novelty claims and function, a patent right will be granted. However, business methods and software-implemented inventions cannot be encompassed under patent protection.
There are two distinct regulations regarding duty of confidentiality. The first piece of legislation that governs confidentiality of banking and financial information is the Banking Law (Law No. 5411). The second one is the Personal Data Protection Law (Law No. 6698) which prohibits or sets limitations to the disclosure, processing and transfer of personal information, which would also include client information.
Additionally, payment service providers and e-money institutions are also subject to the duty to transfer financial data to the BRSA regarding what the Law No. 5411 defines as 'banking data'. The Law No. 7192 that introduced a variety of amendments to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) states that the CBRT holds the right to enact secondary legislation that may require payment service providers to share data with other payment service providers.
However, pursuant to the Amendment to the Banking Law published in the Official Gazette dated 25 February 2020, save for the mandatory provisions of the relevant legislation, client information has been specified as confidential client data, and the criteria regarding processing and transfer of said information shall be established in accordance with the Personal Data Protection Law (Law No. 6698). Confidential customer data will not be shared with or transferred to third parties in Turkey and abroad, except for exceptional cases specified in the Banking Law. Even in the cases where the client grants explicit consent regarding the processing of his or her personal data, said data may not be transferred or shared domestically or abroad without the explicit request or order of the client.
The Draft Regulation on the Sharing of Confidential Information (Draft Regulation) is published on the official website of the BRSA and was submitted to public opinion on 8 February 2021. With the Draft Regulation also referring to the Law No. 6493, it is aimed to determine the scope, procedures and principles of the sharing and transfer of confidential bank and customer data. Within the scope of Article 73 of the Law No. 5411, regulations were made regarding the confidentiality obligation, exceptions and definition of confidential customer data. In the Draft Regulation, all the information regarding real and legal persons becoming bank customers are included in the scope of confidential customer data. Lastly, it will be mandatory for banks to establish an Information Sharing Committee. The committee will be responsible for coordinating the sharing of confidential customer data and confidential bank information, considering the proportionality factor, and recording these evaluations by evaluating the appropriateness of sharing requests.
As per the Regulation on Banks' Information Systems and Electronic Banking Services (the Regulation) published in the Official Gazette dated 15 March 2020 and numbered 31069 and becoming effective as of 1 January 2021, banks are required to prepare a detailed asset inventory by classifying these assets to establish controls in accordance with the security requirements of information assets. Information on whether there is personal data among the assets will also be added to the data inventory to be prepared. In the Regulation, 'electronic banking service' is defined as any electronic distribution channel through which customers may perform remote banking transactions or give instructions to the bank such as internet banking, mobile banking, telephone banking, open banking services and ATM and kiosk devices. Thus, information containing sensitive data or secret data (credit card account statement, etc.) that will be transmitted to their customers electronically by the banks shall not be sent through means such as emails and text messages (SMS) and customers shall not be directed to channels that provide electronic banking services.
Pursuant to the Decisions of the Personal Data Protection Board (the Board) dated 3 March 2020 and numbered 2020/191, 2020/192, 2020/193 and 2020/194 regarding the notification that the data stored in the Risk Centre had been violated by various factoring companies, the Board decided to impose administrative sanctions on factoring companies, because of the queries made by some of the employees of factoring companies through the Risk Centre being shared with persons who are not legally authorised. Also, as per the decision of the TBMM Ombudsman Institution dated 9 March 2020 and numbered 22873068- 5913, it was stated that phone number data is not among the mandatory information relating to identification of a customer; it was decided that the practice aimed at obtaining this information violated the Personal Data Protection Law, and that requesting phone numbers in banking transactions should no longer be allowed in the banking sector.
Additionally, banks will be able to benefit from cloud computing systems as an external service tool, provided that these systems are kept within Turkey in accordance with the provisions of the Regulation. As per the Communiqué on Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions, payment institutions and electronic money institutions shall mandatorily have their primary and secondary systems located in Turkey and cloud computing must be within the scope of these systems. Therefore, if electronic money and payment institutions store data via cloud computing systems as external services, data centres must be located in Turkey.
Year in review
One of the most important developments that affected the fintech industry in the last 18 months is CBRT's acquisition of 51 per cent of Interbank Card Centre (BKM) and the activation of the Payment Services and Electronic Money Institutions Union (TÖDEB).
As per the Regulation on Banks' Information Systems and Electronic Banking Services (the Regulation) drafted by the BRSA and published in the Official Gazette dated 15 March 2020 and numbered 31069, excluding the articles that will enter into force on 1 July 2020, the effective date of the other provisions has been extended for six months and determined as 1 January 2021. With the enactment of the Regulation, the Communiqué on Principles to be Based on Information Systems Management in Banks shall be abolished.
Pursuant to Law No. 7247 on Amendments to Certain Laws and Statutory Decrees (Law No. 7247), published in the Official Gazette dated 26 June 2020 and numbered 31167, the need to meet face-to-face was eliminated for the first time while establishing a contractual relationship between financial institutions and potential customers, paving the way for the process to start and end in a digital environment.
Developments in the ICTF system that is the new generation instant retail payment application, available all day and every day, that has been announced by the CBRT are of importance. The ICTF system enables an electronic payment system that is practical and easy. This development in retail payment system infrastructure constitutes an important element for paving the way towards facilitating fintech and business models. Additionally, CBRT establishing Turkey's QR code standards pursuant to the Regulation on the Generation and Use of TR QR Code in Payment Services (QR Code Regulation) is also of importance.
These developments are of great significance in terms of providing services and innovative products that benefit consumers in the competitive conditions of the existing structure as well as paving the way for new initiatives with innovative ideas in fintech ecosystems from 2022 in Turkey.
One of the most important indicators for the fintech ecosystem of Turkey in 2021 is the amount of investments that start-ups have received. According to the Turkey Fintech Ecosystem Report, it is anticipated that the fintech sector will continue to develop with an average annual growth rate of 14 per cent.
Outlook and conclusions
Despite the lack of a legal framework specifically applicable to the fintech industry, a developing and vibrant fintech industry is emerging in Turkey, as the financial technologies are transforming finance, business and transaction models and challenging the regulation at a constant rate. Turkish regulatory bodies closely monitor the developments and prepare reactive regulations to meet the requirements generated by the technological developments.
From a regulatory perspective, there is no specific definition regarding crypto assets and there are no restrictions to engage in these cryptocurrency transactions in Turkey. Given that the cryptocurrency market is growing rapidly, there have been developments in the legal and regulatory landscape for equity-based crowdfunding, lending-based crowdfunding, open banking, and the protection of client information. New regulations are being adopted that enable the entry of new actors to the fintech market, increasing cooperation with the banking sector and facilitating the development of the fintech sector in Turkey such as the recent Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) which reorganises the regulatory framework in the payment and electronic money services and introduces new definitions of account information services and payment initiation services in line with the PSD II.
On the other hand, there are several regulations that are expected to come into force before the end of the first quarter of 2021. The Draft Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Draft Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in Payment Services of Payment Service Providers have been drafted and submitted to the sector organisations for their opinions. Additionally, the regulations of MASAK and the secondary regulations regarding open banking services and digital onboarding, were submitted to the sector organisations for their opinions. Considering the compliance periods foreseen in the draft regulations, it is estimated that the regulations may be published before the end of the first quarter of 2021. As a matter of fact, the Draft Communiqué on Remote Identification Methods to be Used by Banks, which was submitted to the public opinion as of 21 September 2020 by the BRSA, was revised within the scope of the opinions received and was submitted to the opinion of the sector organisations, is foreseen to come into force in 2021.
Additionally, BRSA submitted the Draft Regulation on the Sharing of Confidential Information (the Draft Regulation) to public opinion. The Draft Regulation has been prepared to determine the procedures and principles for sharing and transferring of confidential bank and customer data.
In line with the recent developments, it can be said that the sub-regulations on payment services, e-money and open banking and technical standards will be formed in 2021, and the actors entering the adaptation process will have completed the necessary process. Taking into consideration the products and services to be offered, this transformation is foreseen to start being seen by end users as of 2022.
1 Cigdem Ayozger Ongun is a managing partner, Volkan Akbas is a managing senior associate and Deniz Erkan is an associate at SRP-Legal