The Turkish Fintech market is occupied by a significant number of variously sized participants. Competitiveness notwithstanding, market players tend to cooperate with one another in keeping the marketplace fair. Consumers demand fast, user-friendly, and widely accessible digital financial services platforms, and, just as in other parts of the world, Fintech players in Turkey are striving to satisfy those demands. One example is BKM Express, a multibank cashless payment platform launched in 2012, now utilized by 200 fintech business and banks. The Turkish fintech market has expanded at a year-over-year rate of 14% and is currently valued at USD 15 billion.
Though relatively immature, the potential of Turkey’s fintech industry should not be underestimated. Turkish fintech startups are rapidly developing innovative, in some cases disruptive, solutions to meet consumer fintech demands worldwide. The involvement of Turkey’s mature banking players continues to allow seamless integration of novel fintech applications within the banking system.
The Turkish fintech industry has experienced rapid growth over the past few years. Turkey is an attractive market for fintech start-ups developing innovative products. A report1 by a Big Four accounting firm and BKM - the fintech purposed consortium of the top ten Turkish banks listed total venture capital investment in Turkish fintech at USD 4.6 million for 2012, and USD 53.2 million for 2016. Moreover, Start-up Watch’s latest industry report lists total investment at USD 108 million for the period January-November of 2020. There are currently more than 350 active players in Turkey’s fintech marketplace operating primarily within the following subsectors:
Electronic Payment Systems:
Law on Security Settlement Systems, Payment Services and Electronic Money Institutions No. 6493 (“E-Payment Law”) applies to payment systems, security settlement systems, payment institutions, and electronic money institutions operating in Turkey. Only banks and payment service providers authorized by the Authority are allowed to carry out payment services in Turkey.
Open banking provides a way for third parties, with consent, to access personal financial data maintained by banks. Open banking has dismantled the monopoly once held by banks over customer financial data and opened new competitive avenues in fintech.
Digital banking allows customers to manage all of their banking transactions through mobile apps, websites or call centers anywhere at any time without any need to a visit to physical branch or ATM.
Virtual currency (electronic money) in Turkish law refers to monetary values backed up by funds collected by the electronic money issuer, stored electronically, used to perform payment transactions and accepted as a mean of payment as well by natural and legal persons other than the electronic money issuer. Electronic money and electronic money issuers are strictly regulated in Turkish Law.
Blockchain and Cryptocurrencies:
At present, Turkish law does not specifically regulate cryptocurrency. However, it is expected that just like fiat currency transactions, cryptocurrency transactions will be subject to Turkish financial crimes laws.
Equity based crowdfunding was introduced to Turkish law with the amendments dated 2017 to the Capital Markets Law No. 6362 (“CML”) and defined as “collecting money from public through crowdfunding platforms without being subject to the provisions regarding investor compensation, in order to provide funds needed by a project or venture company”.
In Turkey, fintech systems like card and cardless payments, e-money, and e-wallet, may be subject to different laws.
The main legislation governing electronic payment services in Turkey is the E-Payment Law, as complemented by certain secondary legislation, including the Regulation on Payment Services, Electronic Money Issuance, Payment Institutions and Electronic Money Institutions, published in the Official Gazette No. 29043, and dated 27 June 2014, and the Communiqué on the Management and Inspection of Information Systems of Payment and Electronic Money Institutions, published in the Official Gazette No. 29043, and dated 27 June 2014.
The E-Payment Law was recently amended by both the Law on Amendment of the Law on Security Settlement Systems, Payment Services and Electronic Money Institutions No. 7192, effective as of 1 January 2020, and the Law on the Amendment of Certain Laws and Decree Laws No. 7247, effective as 26 June 2020.
Central Bank Regulations
The Central Bank of the Republic of Turkey (“Central Bank”) has prepared the following two draft regulations and published same for industry comments: (i) the Draft Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, and (ii) the Draft Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers.
The Central Bank’s Regulation on Generation and Use of TR QR Codes in Payment Services, effective as of 21 August 2020, regulates the generation and use of QR codes for making electronic payments of the types covered by the E-Payment Law.
Banking Law No. 5411 (“Banking Law”), effective as of 1 November 2005, establishes a regulatory scheme which promotes efficient operation of financial markets, and fosters systemic integrity by facilitating issuance of bank loans.
Insurance Law No. 5684, effective as of 14 June 2007, ensures consistency in the insurance marketplace through a regulatory framework.
Law on Payment Systems
Law on Payment Systems No. 6493, effective as of 27 June 2013, regulates payment and securities settlement systems, payment services, and electronic money companies.
Credit Card Law
Credit Card Law No. 5664, effective as of 1 March 2006, provides a legal framework for establishing regulations on transaction clearing, and issuance of bank cards and credit cards.
Turkey’s anti-money laundering (“AML”) regulations align with the European Union (“EU”) Directive on Money Laundering. The Law on the Prevention of Laundering Proceeds of Crime No. 5549 (“AML Law”), which incorporates know your customer (“KYC”) and AML legislation, holds criminally liable insurance agencies, lending firms, cryptocurrency transfer companies, etc., for engaging in financial crimes, and requires financial firms to verify the identity of individuals and their representatives engaging in certain financial transactions.
CML, regulates capital market operations and instruments, public companies, traded companies, investment institutions, trade markets, and other capital markets institutions.
Communique on Equity Based Crowdfunding No. III - 35/A.1, regulates the procedures and principles regarding equity-based crowdfunding, the listing and activities of crowdfunding platforms, collecting money from public through equity-based crowdfunding, and supervising and auditing that the collected funds are used in accordance with their declared purpose.
There are no specific regulations attributed to fintech customers. Compensation model and its regulatory framework vary depending on the scope of the financial activity offered to the customers. In case the financial activity offered by a fintech company falls within the scope of a regulated area such as banking, capital markets or payment services, specific regulations in these areas would apply.
Investment institutions are subject to strict rules under the capital markets legislation related to compensation and fee structure depending on the investment services that they provide and the investment transactions. They must comply with the disclosure and information requirements vis-à-vis their customers, which varies depending on the scope of the investment service.
Payment and Electronic Money Services
Within the scope of payment and electronic money services, fintech service providers are only allowed to charge customer to the extent it is mutually agreed in a framework service agreement between the service provider and the customer. Central Bank has the authority to set the maximum prices and commission for each transaction.
For payment services, service providers are under the obligation to provide information as to the fees applicable before execution of the agreement. If this information is published on the service provider’s website, the disclosure obligation is deemed to be satisfied. If requested by the customer, the service provider must inform the customer as to the fees applicable to the transaction. Also, once the payment transaction is accomplished, regardless of whether requested by the customer, the service provider is under the obligation to inform the customer as to the fees applied.
Transactions Outside the Framework Agreement
In case a certain transaction is not covered by the framework agreement (except bill payments), the service provider is obliged to inform the customer as to the information that needs to be provided by the customer for the payment, maximum completion time of the payment transaction, a list of the total fees and fees payable, exchange rate to be applied in the payment transaction, if any. If this information is published on the service provider’s website, the disclosure obligation is deemed to be satisfied.
On condition that it is agreed in the framework agreement, a reasonable and proportionate fee to the expenses may be requested by the service provider when the framework agreement is terminated by the customer.
Fintech is not currently regulated under Turkish Law.
Currently, there is no regulatory sandbox in Turkey. However, Turkish Government recently published Financial Reform Booklet for the years 2021-2023 indicates that implementation is on the horizon.
As explained under 2.1 Predominant Business Model and 2.2 Regulatory Regime, several regulatory authorities exist, including the following:
The Central Bank is an autonomous body charged with:
Istanbul Stock Exchange (“BIST” or “Borsa Istanbul”)
The BIST is Turkey’s single house for securities and commodities trading. It is subdivided into trading sectors, including (i) diamonds and precious metals, (ii) derivatives, (iii) debt securities, (iv) equities, (v) futures, and (vi) options.
Capital Markets Board of Turkey (“CMB”)
The CMB is charged with ensuring the integrity of capital markets and regulating securities dealers. The CMB’s policies seek to reassure investors by ensuring market transparency, improve capital markets operations, and implement applicable law.
The Banking Regulation and Supervisory Agency (“BRSA”)
The BRSA is an autonomous supervisory authority charged with regulating bank lending practices, consumer financing, domestic bank holding companies, and international banks operating in Turkey.
The BRSA is charged with (i) reducing costs associated with financial transactions, (ii) increasing market transparency, (iii) ensuring regulatory compliance, (iv) identifying systemic risk, (v) ensuring generally accepted accounting are followed, (vi) reviewing annual financial reports, (vi) monitoring independent auditing firms, (vii) facilitating the efficient operation of credit markets, (viii) protecting consumer deposits, (ix) controlling incorporation, ownership, association, sale of shares, and financial holdings of factoring and leasing firms, and (x) developing banking and financial services solutions .
Ministry of Treasury and Finance of the Republic of Turkey
Ministry of Treasury and Finance is charged with (i) tax levying and collecting, (ii) regulating public properties, (iii) executing international exchange policies, (iv) harmonizing AML laws and regulations, and (v) ensuring transparency of economic affairs.
Presidential Decree No 48, effective as of 1 October 2019, the obligations of Insurance and Private Pension Supervision and Supervisory Department are assumed by the Treasury Ministry, and include duties such as preserving private pensions, enforcing pension laws, licensing of insurance and reinsurance companies.
Digital Transformation Office
The Digital Transformation Office seeks to facilitate Turkey’s digital fintech transformation by connecting businesses, human capital, and emerging opportunities within the communications and information technology sectors. Its operations include facilitating (i) access to national and domestic emerging technologies through development of infrastructure, (ii) transition to big data by drafting procedures, understanding data distribution and infrastructure, and maintaining cyber-stability.
Financial Crimes Investigation Board (“MASAK”) is charged with monitoring money laundering activity and researching effective methods of investigating and analyzing criminal financial activity.
Outsourcing is subject to strict rules in regulated sectors such as banking and finance, capital market and payment services.
Banking and Finance
Banking Law in Turkey prohibits banks to outsource (i) evaluation in terms of credibility, collateral, loan terms and types, amount, (ii) accounting of banks' transactions and preparing their financial reports, (iii) Monitoring and evaluation of credit risk in the process until the liquidation of the loans allocated. Other activities can be outsourced and subject to strict outsourcing rules under the Banking Law.
The service provider must be incorporated as a corporation and must have necessary organization, assets and employee structure. Also, in case IT systems are outsourced, the agreement to be executed with a service provider must at least include service levels, terms and conditions termination, measures to be taken for business continuity of the bank, privacy and non-disclosure clauses, provisions regarding intellectual property rights etc. Reporting obligations arise on the banks in outsourcing process.
Outsourcing in payment services is also strictly regulated. Payment service provider must make an assessment of possible risks before outsourcing. The agreement to be executed with a service provider must at least include service levels, terms and conditions termination, measures to be taken, privacy and non-disclosure clauses, provisions regarding intellectual property rights etc.
Similarly, capital market regulations allow outsourcing on strict conditions. Before outsourcing a service, intermediary institutions should check whether the subject activity is a type of service which is permitted to be outsourced and assess the expected benefits and probable costs of outsourcing of services and determine whether the service provider has the technical equipment, infrastructure, financial power, experience, know-how and human resources adequate for performance of the subject services at the desired quality. An agreement covering the mandatory content determined by the CMB must be executed between the intermediary institution and the outsourcing firm. Intermediary institutions are required to inform the CMB within ten business days as of the date of commencement of outsourced services, with respect to the outside service provider and the scope and nature of the outsourced services.
Unlike the draft Digital Services Act of the EU, “gatekeeper” term is not defined, and no obligations are encumbered specific to gatekeeper fintech providers under Turkish Law. Every regulated provider is required to implement measures reasonably calculated to prevent its services from being used in furtherance of criminal activity. Depending on the service provided by them, they may be subject to certain AML and KYC obligations.
In order to comply with their obligations under the AML and prevention of terrorist financing legislation, know-your-customer principle applies to fintech providers. In this respect, to the extent applicable, fintech providers must detect the identity of the customer or those who act on behalf of the customer when a perpetual relation is established or when certain transaction thresholds are exceeded. Recently, remote ID authentication became possible in Turkish law. They are also under the obligation to verify the authenticity documents necessary for the transaction and track and notify the suspicious transactions. Otherwise, their liability may arise.
Based upon opinions of the Central Bank of Turkey, the BRSA formulates operating principles for independent audit firms and maintains a current list of those in compliance. The BRSA also licenses and supervises banks operating in Turkey with respect to which it is authorized to levy administrative fines, revoke licenses, and remove operations to the Savings Deposit and Insurance Fund (SDIF) - a public, legal entity that insures consumer savings deposit accounts.
Based on the user-generated interest, Turkish regulators focused on the cryptocurrencies. The Ministry of Treasury and Finance made an announcement on the crypto moneys and announced the cooperation between the BRSA, the CMB and other related organizations to regulate such area. Recently, The Ministry of Treasury and Finance requested all user’s information from the crypto markets, which is considered by the market players as a concrete step towards regulating crypto markets.
In addition, the CMB regularly supervise leveraged transactions, as forex transactions can only be made through authorized institutions in Turkey as per Decree No. 32 on Protection of Value of Turkish Currency (“Decree No. 32”), foreign forex intermediaries which enables transactions to be made on internet are blacklisted and access to these sites is banned regularly by the CMB.
Fintech players, both new and legacy, are impacted by the following non-financial services regulations:
Presently in Turkey, there exists no stand-alone cybersecurity law, however BRSA e-banking regulations applicable to cybersecurity include:
Banks are liable for false bank ads in search engine results and on social media platforms with which they contract.
According to the Turkish Constitution, Banking Law, and Turkish Criminal Code, banks are obligated to protect customer secrets, including financial and personal information obtained before execution, within the term, and after expiration of a banking contract. Finally, IT systems of capital market institutions are strictly regulated and subject to a special audit, fintech providers may also be subject to that regulations, depending on the service that they provide.
Turkish Commercial Code requires fintech participants at regular intervals to be audited by independent auditing firms; and tax and social security authorities may also assess specific regulatory compliance.
Companies outsourcing regulating activities are generally required to audit vendor compliance. For example, where a bank outsources capital markets settlement operations to another financial intermediary, the former must audit the latter’s compliance.
Specific supervisions and audits are envisaged for the information systems of industry participants, depending on their activities.
If a fintech provider carries out its business in a regulated area, its field of activity must be limited to that area in this respect unregulated services cannot be provided by the same fintech provider.
No applicable regulation as to the rules and principles pertaining to robo-advisers’ operations are in force in the Turkish jurisdiction. Therefore, different business models are not required.
While robo--advisors are not specifically regulated under Turkish law, general banking, insurance, and financial laws and regulations are applicable, including BRSA’s best practices and CMB licensing requirements, depending on the area of usage of robo-advisers.
Specific robo-advisor legislation does not yet exist in Turkey.
Loan regulations are substantially similar in Turkey. Loans can be generally classified as commercial or consumer – based on the intended use, which might be subject to certain different rules under Turkish legislation.
Solely banks and authorized financing companies are authorized to allocate loans as their main line of business.
Terms of conditions of consumer loans are strictly regulated by Banking Law, and the loan agreement must include certain provisions such as consumer’s right to rescind the contract and its conditions, consumer’s rights, pre-closure and discount rates in such case. Ancillary obligations, such as pre-contractual information, apply to consumer loans. Loan and security ratio, joint offer of insurance products, maximum interest rates and number of installments, are also limited for consumer loans pursuant to consumer protection legislation, namely the Consumer Law and Regulation on Consumer Loan Agreements.
While most of the commercial provisions can be freely determined in commercial loans, certain restrictions apply to commercial loans as well, especially with respect to fees which the banks may request from their commercial customers. Banks usually use general template agreements for loan allocations to their commercial customers. Facility agreements in LMA format is used instead of general template agreements for loans of certain size and purpose, especially in large volume transactions and project financing.
Small and medium sized enterprises and certain incentivized sectors can benefit from certain interest incentives. Private and government banks usually have specific loan offers to small and medium sized enterprises.
FX and FX-indexed Loans
Turkish resident real persons and legal entities are not entitled to utilize FX and/or FX indexed loans to the extent they fall within the scope of the exceptions listed under Decree No.32. Borrowers are allowed to obtain credit facilities from abroad when such credits are disbursed through Turkish banks. The repayment is also effected through Turkish banks. The above disbursement rule through Turkish banks does not apply to specific cases listed in the Capital Movements Circular of the Turkish Central Bank.
Only equity-based crowdfunding is available in Turkish law. In this respect, crowdfunding is not an option for debt financing.
Underwriting is regulated primarily under the Regulation on Lending Transactions of Banks (“Lending Regulation”) promulgated by the BRSA; pursuant to which, banks operating in Turkey must obtain from clients an account status form, conforming to applicable Lending Regulation provisions, which
for companies must, among other things, recite: field of activity, investments, number of employees, names of directors, credit notes, financials, and tax documents; and, for real persons: names of family members, real property and chattel and the status of all encumbrances thereon, occupation, and other debt service obligations. Strict AML rules and online onboarding rules are applicable for the banks under the Banking Law.
In Turkey, loans are provided primarily by banks funded through:
Savings Banks must be licensed and are strictly monitored by the BRSA. Syndicated loans are unregulated, with obligations established by contract among syndicate lenders; loan balances are rolled over annually. Capital markets debt offerings by banks, including securitizations, are regulated by CMB and capital markets legislation; and, in the case of regulatory capital issuances, additionally by the BRSA’s equity regulations on capital qualification.
Syndicated loans exist in Turkey, their practice is, however, rather rare in terms of transaction numbers. They are unregulated and obligations are established by contract among syndicate lenders.
Payment processors are required to use existing payment rails.
Payments and remittances are regulated primarily under financial crimes investigation laws, and publications by the Revenue Administration within the Ministry of Treasury and Finance, and the MASAK. Cross-border transfers are also regulated by Central Bank, as per Capital Movements Circular and relevant and Decree No. 32.
Funds and fund administrators are primarily regulated by the CML and secondary legislation published by the CMB. All activities related to funds management are subject to strict rules determined by the CMB and require a license.
Under Turkish Law, funds are managed by the portfolio management companies defined under the CMB’s legislation. The Communiqué on Portfolio Management Companies and Principles regarding Their Activities, Serial No III-55-1 provides strict statutory requirements for the establishment, activities, organization, internal control, risk management, personnel of the portfolio management company, to assure performance and accuracy.
In addition, the mandatory content of the portfolio management agreement executed between the portfolio management company and its clients is pre-determined by the CMB under the mentioned Communiqué.
The BIST is the single authorized house in Turkey, and incorporates distinct trading platforms for stocks, debt securities, derivatives and diamonds and precious metals. Each of these markets has its very own regulations determining the trading rules and procedures.
Equity Market constitutes of BIST Stars, BIST Main, BIST SubMarket, Watchlist, Structured Products and Fund Market, Equity Market for Qualified Investors, Pre-Market Trading Platform.
The instruments traded in the equity market in BIST are equities, exchange traded funds, warrants, certificates, participation certificates of venture capital investment funds and real estate investment funds and real estate certificates.
Debt Securities Market
Also, public debt instruments, private sector debt instruments, lease certificates, repo and Eurobonds are traded in the debt securities market.
Outside the Centralised Markets
In addition to the centralized marketplaces, investment institutions can conduct over-the-counter derivative transactions in electronic trading platforms, that will be notified to the Capital Markets Association. Trading in cryptoassets, including cryptocurrency, is unregulated.
Each asset class is subject to specific regulatory regime. Settlement, trading and collateral requirements and methods differ for each asset class. Also, license requirement of the investment institutions might vary depending on the assets to be traded. Trading in crypto assets, including cryptocurrency, is unregulated.
Presently, cryptocurrency trading is unregulated in Turkey. It is understood, however, that a regulatory scheme is in process. Recently, The Ministry of Treasury and Finance made an announcement on the crypto moneys and announced the cooperation between the BRSA, the CMB and other related organizations to regulate such area. Also, in the Information and Communication Technologies Authority’s (“ICAT”) strategy plan, it is announced that the ICTA and TÜBİTAK initiated their works regarding the infrastructure technology for cryptocurrencies. Moreover, The Ministry of Treasury and Finance requested all user’s information from the crypto markets, which is considered by the market players as a concrete step towards regulating crypto markets.
Listing standards are mainly regulated under the CML and BIST’s regulations, especially under the BIST Regulation on Stock Market Operations and BIST Listing Directive dated 2015.
Listing conditions differ depending both on the asset class and market segment. The listing requirements are determined by the Listing Directive and Listing Regulation of the BIST. Generally, financial strength, market value of the equities offered to public, business continuity, profitability shall be taken into consideration in the listing.
Handling rules differs depending on the asset type and the trading platform. In general, investment institutions accept and fulfill customer orders in accordance with their order execution policy, the principles specified in the framework agreement, and on compliance with the duty of care and loyalty to the customer. Investment institutions are obliged to protect the confidentiality of customer orders and show professional care in their activities. Investment institutions are subject to the obligation to reach the best possible result when executing their client’s order by taking into consideration different factors.
The orders may also be accepted through electronic means. In such case, the system enables receiving order electronically must comply with the certain requirements determined under the CMB’s legislation.
Peer to peer trading is not allowed in Turkey except for crowdfunding. As a rule, centralized exchange is accepted. However, in certain conditions trade on over the counter market is possible.
The Communiqué on Investment Services and Activities and Ancillary Services, Serial No III-37.1 imposes best execution requirement on the investment institutions. Accordingly, when executing orders, the investment firms are obliged to fulfill the orders in a way that will give the best possible result for the customer in compliance with its order execution policy, considering the preferences of the customers in price, cost, speed, clearing, custody, counterparty and any other considerations relevant to the execution of orders.
Investment institutions can refuse the orders provided that refusal conditions are stipulated under the framework agreement (save for the lawful orders for filling the open positions in derivatives).
Turkey does not have specific rules or guidance on payment for order flow. Under Turkish law, investment firms are fiduciaries of their customers and are required to: disclose conflicts of interest, act fairly and honestly in protecting customer interests and market integrity. To that end, investment firms are required to implement measures necessary to prevent conflicts of interest with its customers, shareholders, and staff, and to address inter-customer conflicts. Investments firms are under the obligation to implement a conflict-of-interest policy. This policy contains examples of possible conflict of interest scenarios, measures to be taken and procedures regarding handling conflict of interest cases.
Market manipulation and insider trading are defined as criminal offenses carrying jail time under the CML in order to protect investors, in this respect especially the small investors.
HFT and algorithmic trading are regulated under various procedures of BIST including Algorithmic Transactions in Equity Market and BISTECH PTRM / Pre-Trade Risk Management Procedure, Equity Market Procedure, Forward Transaction and Options Market Procedure. Those wishing to use HFTS systems must undertake to comply with these procedures in order to use HFT systems and must notify BIST regarding the software used, including location and ownership of the servers on which the software is set up. In order to differentiate high frequency transactions from normal customer orders and to follow them, different user accounts will be allocated for these transactions with a market member application. In order submission of algorithms based on high frequency transactions, a separate user account must be defined for each different algorithmic order transmission system. These users are required to use the risk group controls (user limits) of the Pre-Trade Risk Management Application. In order for a user to be considered a high-frequency transaction user, the servers that will generate orders on behalf of this user must be deployed by the Market member in the colocation center of the BIST and the user code with a distinctive feature must be given to these users by the BIST.
Market making and rules regarding market makers are mainly regulated under the Equity Market Procedure of the BIST. No specific registration requirement is envisaged for HFT traders functioning in a principal capacity as market makers. HFT traders meeting the requirements, however, may apply to register as a market maker.
Current regulations make no distinction between funds and dealers.
Market member is directly responsible to the BIST for the algorithmic order transmission systems it uses to transmit orders belonging to itself or its customers. The market member who uses / mediates systems on the market has an inalienable responsibility for the effects and results of these systems. The market member will be deemed to have accepted and committed that the orders will be sent in a way that will not hinder the functioning of the markets, risk or cause misdirection, and that control practices will be established for this. It is the responsibility of the market members to carry out the necessary controls and tests regarding the software to be used in order transmission to the system with algorithmic order transmission systems, to monitor the risks that may occur in real time after commissioning, to limit these risks and to terminate the order transmission by stopping the software as soon as possible when necessary.
Currently, financial research platforms are unregulated so long they do not reach to investment consultancy level. Comments and recommendations for investors including expressions to encourage the trading of certain capital market instruments or that may otherwise affect investor decisions are regarded as investment advice. Comments and recommendations based on an anonymous investor, regardless of the risk or return criteria of a particular person, are referred to as general investment advice. General investment advice is not subject to license; however, if certain conditions apply. Subjective and exaggerated expressions such as "the best", "the most reliable" must not be included in the comments and recommendations offered, which mislead the investors or exploit the lack of knowledge and experience. Also, a warning banner regarding the investment advice provided is not within the scope of investment consultancy; as these advices are not personalized, they may not be suitable to the advice receiver, thus may cause undesirable effects should be placed.
Spreading of rumors and unverified information may be criminally prosecutable as information-based market manipulation under the CML. Those who provide false or misleading information, rumors, comments or prepare reports in order to affect the prices, values of capital market instruments or the decisions of investors and acquire benefits as a result are punished with imprisonment. However, in order for it to be punishable, the harm must be done, and the offender must acquire a benefit from his offence.
Financial research platforms are unregulated, however, the CMB has discretion to consider ad hoc cases of possible market manipulation through postings. Information based market manipulation is a criminal offense under the CML.
There is no specific regulation for insurtech. Extant underwriting rules for the insurance apply also to insurtech.
There are no applicable regulations.
RegTech is not currently regulated in Turkey. On the other hand, depending on the field they provide their services in, specific market regulations may apply such as banking, energy, capital markets etc.
No statutory regulation is envisaged as to the contractual terms to that end. Agreements need to be carefully drafted to assure the performance of the services.
Implementation of blockchain technology in Turkey has been rather quick. Traditional players are optimistic about the potential of blockchain. For example, the Central Bank of the Republic of Turkeyis planning to launch a blockchain based virtual currency. Numerous private banks enabled cryptocurrency transactions made through contracted cryptocurrency platforms.
On the other handuse of cryptocurrencies in capital markets is prohibited. In 2017, the CMB, has send a general letter to the intermediary institutions, pursuant to their information request, stating that there is neither a regulation, nor a definition of crypto assets under Turkish legislation and as the crypto assets are not listed in the underlying assets that a derivative instrument can be based on, intermediary institutions should not conduct any derivative or spot transaction based on the crypto currencies.
On the other hand, blockchain technology is usable in finance sector. For example, BIST has carried out a project to use a customer data base based on blockchain technology. In this respect, adding new customers, change of data and documents are managed through a blockchain network. Similarly, Istanbul Takas ve Saklama Bankası A.Ş. has implemented a block chain application to enable physical gold to be converted into a digital asset and allow the transfer of gold without time limitation, from person to person.
Blockchain is currently unregulated. It is understood, however, that applicable legislation is in process.
Blockchain is currently unregulated. On the other hand, digital securities have structural similarities with investments instruments regulated under the CML. In this sense, it is important to make a detailed assessment regarding whether they may fall within the scope of CML and relevant legislation while issuing these assets. In case the instrument has a regulated underlying asset such as equities, the issue of such asset would probably subject to CML and relevant legislation.
Cryptocurrency transactions are believed to be subject to extant laws on prevention of financial crimes, AML and financing of terrorism, and laws of taxation.
The 11th Development Plan of Turkey, published in Official Gazette no. 30840, and dated 23 July 2019, contemplates development of blockchain technology in Turkey, and a blockchain-based virtual currency issued by the Central Bank by2023. In early 2020, CMB issued a statement indicating that cryptocurrency regulations are in process.
Neither “money” nor “currency” is defined under Turkish law. Fiat currency may be issued only by the Central Bank.
Blockchain asset issuers are unregulated at present, save for our explanation on the digital securities above.
There are no specific regulations applicable to either blockchain asset trading platforms or secondary market trading of blockchain assets.
In the absence of specific blockchain regulations, existing law limits the types of assets in which a fund may invest. Since blockchain assets are not specifically approved, it is reasonable to conclude that funds may not invest in them. Moreover, the CMB does not allow intermediary institutions to conduct any derivate or spot transaction based on crypto assets.
Virtual currencies are defined in Turkish Law as “Monetary value that is issued on the receipt of funds by an electronic money issuer, stored electronically, used to make payment transactions defined in this Law and also accepted as a payment instrument by natural and legal persons other than the electronic money issuer.”
In order to settle the potential conflicts on this issue, BRSA published a public statement in November 2013 assessing cryptocurrencies' legal status with respect to the Payment Law. According to BRSA, cryptocurrencies (Bitcoin in the public statement) cannot be regarded as electronic money since they are not issued by any official or private institution, and their intrinsic value is not reserved by the funds received by the issuer.
In this respect, virtual currencies are regulated in Turkish law however, cryptocurrencies are not regarded as virtual currencies.
Presently, DeFi is not regulated by Turkish law.
The Regulation on Information Systems of Banks and Electronic Banking Services defines open banking as “[a]n electronic distribution channel where customers or parties acting on behalf of customers can perform banking transactions by remotely accessing financial services offered by the bank through API, web service, file transfer protocol, or give instructions to the bank to perform these transactions.”
In addition, the Regulation provides that one factor authentication may be used for the open banking services if the communication between the bank and the client or client’s agent is end-to-end encrypted. In addition, the Banking Regulation and Supervision Board (“BRS Board”) can regulate all aspects of open banking.
By definition, all provisions governing electronic banking apply to open banking.
Open banking services in Turkey is yet to be become fully functional; however, it is expected to be become functional soon with the enactment of secondary legislation by the BSR Board and Central Bank. The BRS Board is expected to determine which services may be provided as open banking services and the procedures and principles of open banking services within the scope of banking as explained above. The Central Bank, on the other hand, expected to regulate procedures and principles regarding data transfer between the service providers for the open banking services. Also, as the mandatory account access is compulsory for the open banking system to be operate functionally, several amendments are awaited under the law in line with PSD2 to enable open banking services.
On the other hand, the defined under the DP Law is expected to be amended in line with the GDPR in the due course. In such case, data subjects’ rights such as data mobility and new concepts such as joint data controllers which may be applicable to open banking applications.
The ongoing global transformation from analog to digital began, arguably, with the invention of the first computer. For the purposes of this article, digital transformation refers to the integration of traditional business processes and digital technology.
The internet’s journey from relatively obscure technology to, as it were, a ubiquitous household service, along with always-on access since the advent of smartphones, has powered rapid digital transformation; now big business is paying attention.
From the early implementation of online banking to today’s complete online financial services platforms, the financial services sector has always been a pioneering force in digital transformation. Until recently, a bank’s digital financial products could be accessed online only via the bank’s digital platform, seriously inconveniencing consumers utilising the products of several banks simultaneously. Now, however, technology developed by fintech providers allows consumers to access all their financial products and perform all transactions on a centralised digital platform in accordance with financial services regulations.
The Open Banking Concept
Conceptually, open banking implements a secure channel through which an individual’s bank-held financial information can be accessed – with the individual’s consent obtained primarily through application programming interfaces (APIs) and similar means – by certain third parties to facilitate financial transactions. Thus, for the benefit of consumers, open banking breaks the longstanding institutional monopoly of banks over consumer data and encourages competition within the sector.
Within the financial services sector, potential benefits of widespread implementation of open banking APIs include:
Potential benefits of open banking extend beyond financial services, including facilitating the generation and presentation of tailored products – eg, housing, shopping, education, and transportation.
Open Banking in the Fintech Market
Fintech, or the Financial Technology Industry, uses the combined resources and know-how of the financial services and technology sectors to provide enhanced, improved, convenient, fast, and user-friendly digital financial solutions.
According to Allied Market Research1, overall, open banking generated revenue of USD7.29 billion in 2018; by 2026, revenue is projected to reach USD43.15 billion, representing year-on-year growth of 24.4% for the period. Within the marketplace, banking and capital markets produced the lion’s share of open banking revenue in 2018, due to a surge in new services. The payments segment is projected to see year-on-year growth of 27.3% through 2026, due to the increase in consumer use of digital banking platforms for initiating debt payments. Accordingly, open banking is poised to power rapid growth in fintech.
Recent Developments Due to COVID-19
Lockdowns, quarantines, social distancing, and similar COVID-19 pandemic restrictions have resulted in a dramatic increase in consumer demand for online services of all kinds; and specific to fintech, increased demand for online financial services and contactless payment platforms. According to a survey by Ipsos MORI and the Open Banking Implementation Entity, 50% of small and medium-sized businesses in the UK use open banking services; 60% of them due to the pandemic. Furthermore, according to the Open Banking Implementation Entity, during the pandemic the number of open banking users in the UK increased from one to two million.
The extent of open banking penetration in Turkey cannot be meaningfully estimated at present. What is certain, however, is that digital banking in Turkey continues to expand at a remarkable rate. According to the Banks Association of Turkey, active digital banking customers totalled approximately 50 million in the period July–September 2019, and 63 million in the period July–September 2020; a dramatic increase attributable primarily to the pandemic.
Regulation of Open Banking in the EU
The Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD2”), amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, is the primary EU legislation on open banking. The initial EU directive on payment services was introduced in 2007. Thereafter, to address insufficient competition in the financial services sector and to improve consumer transactional security, a comprehensive set of amendments comprising PSD2 was enacted into law on 13 January 2016. EU member states were given a two-year window for internal implementation.
Notable PSD2 provisions open parts of the financial services market to third-party payment providers by allowing them access to bank-held consumer financial data. PSD2 provides that banks and other financial institutions holding consumer deposit accounts, accessible online and set up for online payments, are permitted to give third-party financial services providers access to data associated with those accounts.
PSD2 contemplates two primary third-party services, namely:
PSD2 defines PIS as “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”. PIS services simply facilitate interparty online payments and EFTs.
PSD2 defines AIS as “an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider”. With AIS, consumers can manage their aggregate financial affairs on a single platform and without institutional limitations. Thus, AIS facilitates effective financial affairs management by presenting consumers with a complete financial picture.
The key concept which enables the third parties to participate in the financial services and thus compete with the banks and other financial institutions is, as explained above, the obligation of the banks to open their financial services and data to third-party applications. However, as per PSD2, the use of these services depends on the explicit consent of the user. PSD2 and the General Data Protection Regulation (GDPR) contemplate different aspects of explicit consent. The GDPR deals with it within the context of secure processing of personal data, whereas PSD2 does so within the context of open banking processes. PSD2 does address the secure transfer of personal data, eg, Article 66 provides that PIS/AIS user data obtained during provision of payment services may be provided to the payee only with the payer’s explicit consent.
Aiming to promote open banking through user trust in applications, PSD2 increases online fraud protection by requiring strong electronic payment security measures to safeguard consumer data.
Notwithstanding PSD2, EU fintech companies must register with and obtain a licence from competent member state authorities regulating capital and other requirements for market participation.
Regulation of Open Banking in Turkey
The Regulation on Information Systems of Banks and Electronic Banking Services (“Regulation”), which is published in Official Gazette No 31069, dated 15 March 2020, and effective as of 1 July 2020, defines open banking as “[a]n electronic distribution channel where customers or parties acting on behalf of customers can perform banking transactions by remotely accessing financial services offered by the bank through API, web service [or] file transfer protocol, or give instructions to the bank to perform these transactions”.
The Regulation applies only to bank-offered services, and open banking is addressed only in an article which provides, in the relevant part, that one-factor authentication may be used for open banking, provided that communication between the bank and the consumer or consumer’s agent is secured by, among other data protections, end-to-end encryption; and that the Banking Regulation and Supervision Board ("BRS Board”) in its discretion may determine the universe of open banking services and regulate same.
Since open banking services are included in the Regulation’s definition of electronic banking services, its provisions on electronic banking services are also applicable to open banking services.
In Turkey, AIS and PIS, considered basic services under PSD2, are regulated by the Law on Payment and Securities Settlement Systems, Payment Systems and Electronic Money Institutions No 6493 (“Law No 6493"), which, though originally intended to align with the initial EU Payments Services Directive 2 as amended (amendments effective as of 1 January 2020), includes AIS and PIS in its definition of payments services (see Law No 6493, Article 14), thus placing it under the rubric of open banking.
Article 14 of the Law No 6493 makes licensing mandatory for open banking services providers wishing to participate in the marketplace. Licences are issued by the Central Bank of the Republic of Turkey (CBRT) which, under Article 14/A of Law No 6493, regulates AIS/PIS data-sharing among open banking service providers. Although secondary legislation has yet to be enacted, the CBRT has prepared draft AIS/PIS regulatory guidelines.
The Communiqué on the Management and Audit of Information Technology Systems of Payment Institutions and Electronic Money institutions (“IT Communiqué”) governs management and auditing of IT systems maintained by open banking market participants, and imposes certain obligations on payment institutions, including open banking companies, eg, preparing policies, making risk assessments, assigning duties, and ID authentication. In addition, payment institutions are required to store transaction logs for three years before disposing of them. Furthermore, the IT systems of payment institutions are subject to biennial independent audits.
Of note, particularly for foreign players seeking entry into the Turkish open banking sector, primary and secondary payment institution systems must be housed in Turkey.
Outsourcing is also regulated by the IT Communiqué.
Personal data protection
Data protection is the foundation of consumer trust in systems that process personal data. Personal data is protected by strict laws permitting processing only if necessary to carry out an intended and agreed upon consumer service. If the data is special category personal data, then explicit consent to process it is required. Otherwise, provided processing is narrowly tailored, explicit consent is not required.
Notification of data subjects is crucial in open banking. Data subjects have the unequivocal right to full disclosure regarding processing of personal and financial data. In particular, where provider performance requires data processing beyond mere monitoring of accounts or initiation of payments, the data subject must be given prior notice with adequate detail in clear, easily understood language.
In cases of data breach, open banks are liable as data controllers. Currently, it is unclear whether, in the absence of a services agreement between bank and consumer, a bank must provide data to an open banking services provider. This is a material divergence from PSD2, which prescribes such access. Accordingly, under Turkish law banks may, in the interest of data privacy, refuse to allow service providers to access consumer data. Furthermore, unlike PSD2 which mandates certain third-party access to bank-held consumer data, under Turkish law it is not clear whether, even with explicit consent, a bank is obliged to share consumer data.
What is missing/awaited?
Open banking is developing in Turkey. Full implementation is not expected before the enactment of secondary legislation, in which the BRS Board is expected both to specify permitted open banking services and present a regulatory scheme; while the CBRT is expected to promulgate a regulatory scheme for open banking data transfer.
Furthermore, since a functioning open banking system requires mandatory data-sharing with service providers – according to PSD2 – and since Turkish law does not provide for this, amendments to Law No 6493 are expected. It is noteworthy, and perhaps indicative of future developments, that CBRT’s most recent draft regulations conform to PSD2.
Moreover, in due course, amendments to the Law on Personal Data Protection No 6698 are expected to align it with the GDPR and – in the context of open banking – address, among other things, consumer data portability and joint data controllers.