Recent Legislative Amendments in Turkey on Payment Services and Electronic Money Issuance and Payment Service Providers
The legislative amendments in Turkey regarding payment services and electronic money issuance, as well as payment service providers, are currently a notable topic on the agenda. This legal bulletin compiles the amendments made in this scope over the last two months for your information.
In this context, the primary amendments to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation“) and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“Communiqué” or “Payment Services Communiqué“), as amended by the Official Gazette dated October 7, 2023, and numbered 32332, are tabulated below.
Additionally, published in the Official Gazette dated November 4, 2023, and numbered 32359, and effective from the same date, the Amendment to the General Communiqué of the Financial Crimes Investigation Board (Serial No: 19) by the Communiqué on Amendments (Serial No: 25) (“Amendment Communiqué”) has ensured uniformity in the regulations concerning the acquisition of customers by payment and electronic money institutions through remote identity verification. Detailed information can be found in the last section of this legal bulletin.
Amendments Introduced by the Regulation
Digital Wallet | |
Definition | A payment instrument presented as an electronic device, an online service, or an application, which stores information related to the payment account or payment instrument defined by the customer. It enables the customer to make payment transactions using the information related to the payment account or payment instrument they have defined. |
Who Can Provide It? | Payment Service Providers (“PSPs”): Banks within the scope of Law No. 5411.Electronic Money Institutions.Payment Institutions.PTT (T.C. Post and Telegraph Organization). Note: The term “Institution” includes only Electronic Money and Payment Institutions. |
Minimum License Requirement | The institution that will provide digital wallet services must be authorized to operate within the scope of issuance or acceptance of the payment instrument, at least limited to the issuance of the payment instrument. |
Additional License Requirements | Generally, depending on the services provided to the customer using a digital wallet, the institution must also obtain additional licenses related to the scope of the activity it will perform in addition to the minimum license. |
Additional License for Use at Businesses | In cases where the digital wallet is used for payments at businesses, if the funds used for payment are transferred through the institution providing the digital wallet, then this institution this institution is required to have an electronic money issuance license. The transfer of funds related to a payment transaction through the institution providing digital wallet services, due to the provision of necessary payment services in the businesses for the direct use of the payment account or payment instrument linked to the digital wallet in payment transactions in the business, is not included in this scope. Note: The term “business” here refers to a natural or legal person who agrees to sell goods and services using a payment method that falls under the scope of payment services, within the framework of a contract made with the PSP. |
If the payment account or payment instrument of another PSP is to be used directly when making payments at businesses with a digital wallet, the institution must hold a payment order initiation service license. | |
Cases Not Covered Under Digital Wallet Service | Electronic devices, online services, or applications that can only define and store a payment account and payment instrument issued by the providing PSP itself.Services provided by legal entities that store sensitive customer data on behalf of the business or PSP in compliance with the regulations, but do not engage in direct legal transactions with the customer and do not own the relevant funds at any point of the payment process.(As a rule) Prepaid instruments that can be used only within the store network of the electronic money issuing institution, only for the purchase of a specific group of goods or services, or only within a specific service network as a result of an agreement. |
Introduced Obligations Related to Payment Instruments (To be effective as of 31/03/2024) | |
Who is Obligated | PSPs issuing payment instruments |
In Which Cases | When the PSP issuing payment instruments issues them compatible with multiple card system establishments, andWhen the customer requests the payment instrument to be issued specifically associated with a certain card system establishment. |
The Obligation | The PSP must issue the payment instrument compatible with the card system establishment selected by the customer. |
The PSP cannot engage in practices that make the issuance process of the payment instrument, compatible with the selected card system establishment, more difficult for the customer before and after the issuance. | |
Who is Obligated | PSPs performing card-based payment instrument acceptance |
The Obligation | To ensure that the devices, hardware, and software used in acceptance activities are compatible with card systems established by systemically important payment system operators authorized to conduct card system establishment activities, andTo ensure that payment instruments issued in compliance with these infrastructures can be used at the businesses to which it provides services. |
Who is Obligated | Businesses |
The Obligation | The business is obliged to provide necessary support for the work on the compatibility of the payment infrastructure provided by the PSP with the relevant card systems and business usage. The Central Bank of The Republic of Turkey (“CBRT”) is authorized to request the PSP to cease providing payment infrastructure services to any business that fails to show reasonable effort in taking the necessary measures to fulfill its obligations without a reasonable justification. |
Introduced Obligations When Providing Services to Other PSPs | |
In Which Cases | When a PSP, while having another PSP under its control, provides payment account services and infrastructure services related to payment services simultaneously to the controlled PSP as well as the other PSPs. |
Obligations of the Controlling PSP | |
Obligation to Provide Services Under the Same Conditions | It is essential for the controlling PSP to offer the same type of services to the PSP it controls and to other PSPs under the same terms and conditions, and with the same fee policy. |
Obligation Not to Direct Customers | The controlling PSP cannot direct its customers to the PSP it controls in a manner that gives an unfair advantage over other PSPs. |
Obligations of the Controlled PSP | |
Obligation Not to Publicize the Control Relationship | The controlled PSP, except in cases of interface provider status, cannot use expressions in its documents or any communication with third parties that would create the impression that it is acting on behalf of the controlling PSP. |
Exceptions to the Obligations | Contrary practices that may arise due to regulatory obligations and reasonable security, operational, and technical requirements. |
Changes to the License Authorization Process | |
Rectifying Incomplete Information and Documentation | |
Initial Application Phase | If deficiencies in the information and documentation related to the initial notification phase are not rectified within three months from the date of notification of the CBRT letter regarding the deficiency, the application shall be deemed not to have been filed with the CBRT. |
Activity Expansion Application | If deficiencies in the information and documentation related to the activity expansion process are not rectified within six months from the date of notification of the CBRT letter regarding the deficiency, the application for activity expansion shall be deemed not to have been filed with the CBRT. |
Changes Regarding Application Documentation | |
Final Approval Phase Document | The report to be obtained on issues not directly related to information systems must be prepared by independent audit institutions listed in the Independent Audit Institutions list, which have obtained the authority to conduct independent audits from the Public Oversight, Accounting and Audit Standards Authority, including institutions of public interest. |
Informative Review Phase Documentation | The following have been added to the documentation to be submitted in the relevant application phase: Undertakings stating that the applicant’s capital in the company is financed from their own resources and has been provided and deposited in cash, free from any collusion.Documentation related to the bankruptcy or concordat certificate obtained from the relevant trade registry office, and the document regarding the Findeks credit rating for the applicants and companies in which these persons directly own at least 33%. |
Addition of “Qualified Service” Definition | |
Value-Added Service | Qualified Service |
Services that do not fall within the scope of payment services as per the legislation but facilitate, secure, or enhance the efficiency of administrative and operational processes of legal entities and merchants, such as commercial debt and receivable management, accounting, invoicing, product, inventory, and supply management. | Services that do not fall within the scope of payment services as per the legislation but facilitate, secure, or enhance the efficiency of payment services offered by supporting the financial status and financial awareness of natural persons, such as individual budget management, invoice management, account verification, and reminders regarding payments. |
For Legal Entities | For Natural Persons |
Expansion of Activity Areas for PSPs | |
Added Activity | Limitation of Added Activity |
Provision of value-added services to legal persons and qualified services to natural persons. | Institutions with open banking licenses can offer value-added and qualified services related to both accounts held at their own institution and those held at other PSPs. Other institutions may offer these services only in relation to the accounts held by themselves. |
Services to be provided as an interface provider within the scope of the Regulation on Digital Banks’ Operational Principles and Service Model Banking. | Interface provider services cannot be offered in direct or indirect transactions related to precious metals, gemstones, and foreign currency exchange. |
Ancillary services that may increase the usage of the institution’s payment services, such as marketing and directing customers to the services of financial institutions whose activities are regulated and supervised by an authorized authority within the framework of relevant legislation. | Döviz alım-satımıyla ilgili işlemlerde ilgili nitelikteki yan hizmetler sunulamaz. Ancillary services of this nature cannot be offered in transactions related to foreign currency exchange. The qualified ancillary services to be offered by the institution cannot encompass the entire primary activity of the financial institution it serves. The institution cannot assume any role beyond what is regulated in the legislation during the provision of these services. |
Intermediary services related to the trading of processed precious metals and gemstones. | The total transaction volume mediated by the institution within a month is limited to a maximum of 1% of the previous calendar year’s payment volume. |
Miscellaneous Changes | |
Share Acquisitions and Transfers | Share acquisitions and transfers among companies belonging to the same group that do not directly or indirectly cause any change in the shareholding ratios of the institution’s ultimate shareholders in the institution are exempt from CBRT permission. Share transfers within this scope must be notified to CBRT within ten business days at the latest after the institution becomes aware of them. CBRT is authorized to demand the suspension or reversal of share transfers if it determines that these transfers damage the transparent and open shareholding structure of the relevant institution in a way that prevents CBRT’s supervision. |
Regarding The Communication Sector | The upper limits for payments to be intermediated by the IT or electronic communications operator have been increased from TRY 500 to TRY 1000 per transaction and from TRY 1250 to TRY 2750 per month for the total monthly expenditure of the customer for all lines held by the customer with the relevant electronic communications operator. Additionally, the waiting period for service suspension from the final payment date of the bills has been increased from 15 to 30 days, and the waiting period for not opening the service for 1 year has been increased from 1 month to 60 days. |
Representatives | In each case where the representative relationship is terminated by the institutions, a separate list will be created within the Payment and Electronic Money Institutions Association of Turkey (“TÖDEB”) regarding the persons whose representative relationship has been terminated. These persons will be included in this list for five calendar years, and those whose representation relationship is terminated for non-commercial or non-technical reasons will be specifically indicated in the relevant list. The TÖDEB list will publicly display the trade name, address and internet address of the institutions and the MERSIS number, field of activity, address and website address, if any, of the representative, including sole proprietorships. |
Risk Management Personnel | It is stipulated that at least one of the risk management personnel within the institution must be a full-time employee of the institution. |
Change of Title Notification | Changes in the titles of institutions will no longer be subject to CBRT’s approval but must be notified to CBRT within 20 business days following the completion of the change process. |
Inclusion of the Collateral Amount in Equity Deduction | The collateral amounts that institutions will deposit with the CBRT under the legislation will also be taken into account as a deduction item in the equity calculation. However, it is stated that payment and electronic money funds cannot be used as collateral. In addition, if the criteria taken into account in determining the collateral amounts are not met individually, the collateral amount will be increased by 25%, if not met collectively, by 100%. |
Amendments Related to Equity | Amounts of capital and shares held in banks will no longer be included in the equity calculation as a deduction item. The conditions requiring that the free provisions included in the equity calculation be readily available for the institution to cover potential losses from risks, be clearly stated in accounting records, and be approved by the independent audit institution conducting the institution’s audit, have been removed. It is stated that the continuous and regular reporting obligation in the legislation will not replace the notification obligation to the CBRT in case the equity falls below the minimum amounts specified in the legislation. |
Amendments Introduced by the Communiqué
Subject of Change | Description |
Creation of Audit Trails | The content of the minimum records to be kept in the audit trail recording system has been expanded to include not only the application where the access or transaction occurred, but also the communication network protocol, time and source, destination port, and IP information in the records. In the event that the audit trail recording system stops for any reason, instead of directly prohibiting any transactions until the system is reactivated, it is now possible to ensure that the audit trails of the transactions that occurred during the downtime are recorded in the system by maintaining their security and integrity once the system is reactivated within the continuity objectives of the audit trail recording system. Additionally, the institution is now obligated to prove that transactions conducted while the audit trail recording system was down were carried out by authorized persons and in compliance with legislation. It also has the obligation to indemnify any party that suffered damage due to these transactions. |
Obligation of Care for Locality in Critical Information Systems | An obligation has been introduced to exercise utmost care for the products and services to be procured for critical information systems and security to be produced in Turkey or for their developers to have R&D centers in Turkey, and to consider this locality as an important criterion in outsourced service procurement. Furthermore, the condition that these providers and manufacturers have intervention teams in Turkey has been stipulated. CBRT reserves the authority to set additional requirements for security products and other information technology elements to be used by institutions. |
Exception for Data Transfers Abroad | In cases where one of the parties to the payment transaction (either themselves or their service provider) is located abroad, the institution can share the necessary data with the relevant third parties abroad, limited only to the extent required for the smooth execution of the payment transaction and in accordance with the principle of proportionality, provided that the data continues to be stored domestically, subject to the request or instruction from the customer regarding the payment transaction, and without prejudice to the obligations under Article 9 of the Law No. 6698. CBRT may halt or impose additional restrictions on these data-sharing practices if it determines that such practices would adversely affect the development of the payments area. |
Changes Related to Processes Conducted via Remote Communication Tools | In identity verification and contract establishment processes conducted via remote communication tools, the following have been added to the minimum requirements to be fulfilled by institutions while using internet-based methods that allow for remote identity verification and verification of the person to be identified, unless a centralized structure approved by CBRT is used: |
1) Verifying the authenticity of the document used for remote identity verification and the data and information contained in the document primarily using near-field communication; testing the authenticity, integrity, wear and falsification of the document and the data and information contained in the document, especially the security elements, photograph and signature that can be visually distinguished under white light, and ensuring that the process of checking the front and back sides of the document for visual elements is recorded uninterruptedly. | |
2) If verification using near field communication is not possible for any reason, ensuring the authenticity of the document and the data and information it contains is verified using optical character recognition, card reader, or other methods determined by CBRT after consulting with Financial Crimes Investigation Board (“MASAK”), testing the authenticity, integrity, wear and falsification of the document and the data and information contained in the document, especially the security elements, photograph and signature that can be visually distinguished under white light, and ensuring that the process of checking the front and back sides of the document for visual elements is recorded uninterruptedly. | |
3) Recording the approval and explicit consent of the person whose identity will be verified regarding the use of biometric data for remote identity verification and that the contract process will be conducted via a remote communication tool. | |
4) Following the remote identity verification or face-to-face determination of customer identity, obtaining the customer’s declaration of intent to establish the contract via an online video call or through an electronic channel after performing strong identity verification on the same electronic channel if the latter is preferred. | |
Information systems used in processes conducted via remote communication tools under this article are considered critical information systems. | |
Definition of Anonymous Prepaid Instruments | Pursuant to the amendments made to both the Regulation and the Communiqué, one of the conditions for being an anonymous prepaid instrument is to stay within the monetary limits set forth in the MASAK General Communiqué (Serial No: 5). |
Definition of Near-Field Communication (NFC) | Near-field communication is defined as, “a short-range wireless connection technology that enables data transmission over a magnetic field generated by either touching electronic devices together or bringing them close to each other without contact.” |
Transitional Provisions | ||
Addressee | Activity to be Conducted | Deadline |
PSPs that do not provide their customers with direct online access to the payment accounts held with them | To complete integration with Interbank Card Center A.Ş. (“BKM”) within a maximum of 6 months after starting operations, having obtained the necessary permissions. | 31/12/2025 |
Institutions that will provide digital wallet services | Obtaining the necessary licenses for services within the scope of digital wallets or ensuring compliance for institutions already providing digital wallet services. | 07/10/2024 |
PSPs holding payment accounts | Provision of data sharing services, the technical requirements of which have been determined, to institutions with ongoing license application process and open banking license holders by using non-standard services. | 30/06/2024 (CBRT may extend this period by up to 6 months). |
Open banking institutions in the licensing application process | Provision of data sharing services, the technical requirements of which have been determined, by using non-standard services. | 30/06/2024 (CBRT may extend this period by up to 6 months). |
Banks and open banking institutions | Provision of data sharing services, the technical requirements of which have been determined, by using non-standard services in relation to the payment accounts held with the PSPs that are not among the top ten participants in terms of the total number of account payment transactions realized in 2020 in Bank Payment Systems. | 30/06/2024 (CBRT may extend this period by up to 6 months). |
TÖDEB | Determination of the minimum elements to be included in the receipt to be given to the customer by electronic money institutions. | 31/12/2023 |
Uniformity Established in the Provisions of Remote Customer Acquisition for Payment and Electronic Money Institutions
Previously, following the amendments to the Payment Services Communiqué published in the Official Gazette dated October 7, 2023 and numbered 32332, and entered into force on the same date, payment and electronic money institutions were enabled to carry out the processes of identity verification and establishment of contractual relationship with customers by using remote communication tools, and the principles regarding this were regulated in Article 22 of the Payment Services Communiqué. Paragraph 14 of the same article referred to the “Financial Crimes Investigation Board General Communiqué (Serial No: 19)” (“MASAK Communiqué“) and stated that the provisions of the MASAK Communiqué would be applied with priority.
Prior to the amendment dated November 4, 2023, although Article 4 of the MASAK Communiqué included a provision stating that obligors may use remote identification methods if they are permitted (in other legislation) to identify and establish contracts with their customers through remote communication tools, there was a hesitation as to whether the MASAK Communiqué covered payment and electronic money institutions in general.
The provision brought by the Amendment Communiqué has resolved these doubts, clarifying that the methods and measures to be used by payment and electronic money institutions in customer acquisition through remote communication tools will be based on the Payment Services Communiqué. As a result, uniformity between the regulations of CBRT and MASAK has been achieved.
You can access the text of the Amendment Communiqué here.