Recent Legislative Amendments in Turkey on Payment Services and Electronic Money Issuance and Payment Service Providers

The legislative amendments in Turkey regarding payment services and electronic money issuance, as well as payment service providers, are currently a notable topic on the agenda. This legal bulletin compiles the amendments made in this scope over the last two months for your information.

In this context, the primary amendments to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation“) and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“Communiqué” or “Payment Services Communiqué“), as amended by the Official Gazette dated October 7, 2023, and numbered 32332, are tabulated below.

Additionally, published in the Official Gazette dated November 4, 2023, and numbered 32359, and effective from the same date, the Amendment to the General Communiqué of the Financial Crimes Investigation Board (Serial No: 19) by the Communiqué on Amendments (Serial No: 25) (“Amendment Communiqué”) has ensured uniformity in the regulations concerning the acquisition of customers by payment and electronic money institutions through remote identity verification. Detailed information can be found in the last section of this legal bulletin.

Amendments Introduced by the Regulation

Digital Wallet  
Definition  A payment instrument presented as an electronic device, an online service, or an application, which stores information related to the payment account or payment instrument defined by the customer. It enables the customer to make payment transactions using the information related to the payment account or payment instrument they have defined.  
Who Can Provide It? Payment Service Providers (“PSPs”): Banks within the scope of Law No. 5411.Electronic Money Institutions.Payment Institutions.PTT (T.C. Post and Telegraph Organization). Note: The term “Institution” includes only Electronic Money and Payment Institutions.  
Minimum License RequirementThe institution that will provide digital wallet services must be authorized to operate within the scope of issuance or acceptance of the payment instrument, at least limited to the issuance of the payment instrument.  
Additional License RequirementsGenerally, depending on the services provided to the customer using a digital wallet, the institution must also obtain additional licenses related to the scope of the activity it will perform in addition to the minimum license.  
Additional License for Use at BusinessesIn cases where the digital wallet is used for payments at businesses, if the funds used for payment are transferred through the institution providing the digital wallet, then this institution this institution is required to have an electronic money issuance license.  The transfer of funds related to a payment transaction through the institution providing digital wallet services, due to the provision of necessary payment services in the businesses for the direct use of the payment account or payment instrument linked to the digital wallet in payment transactions in the business, is not included in this scope.   Note: The term “business” here refers to a natural or legal person who agrees to sell goods and services using a payment method that falls under the scope of payment services, within the framework of a contract made with the PSP.  
If the payment account or payment instrument of another PSP is to be used directly when making payments at businesses with a digital wallet, the institution must hold a payment order initiation service license.  
Cases Not Covered Under Digital Wallet ServiceElectronic devices, online services, or applications that can only define and store a payment account and payment instrument issued by the providing PSP itself.Services provided by legal entities that store sensitive customer data on behalf of the business or PSP in compliance with the regulations, but do not engage in direct legal transactions with the customer and do not own the relevant funds at any point of the payment process.(As a rule) Prepaid instruments that can be used only within the store network of the electronic money issuing institution, only for the purchase of a specific group of goods or services, or only within a specific service network as a result of an agreement.  
Introduced Obligations Related to Payment Instruments (To be effective as of 31/03/2024)  
Who is ObligatedPSPs issuing payment instruments  
In Which CasesWhen the PSP issuing payment instruments issues them compatible with multiple card system establishments, andWhen the customer requests the payment instrument to be issued specifically associated with a certain card system establishment.  
The ObligationThe PSP must issue the payment instrument compatible with the card system establishment selected by the customer.  
The PSP cannot engage in practices that make the issuance process of the payment instrument, compatible with the selected card system establishment, more difficult for the customer before and after the issuance.  
 
Who is ObligatedPSPs performing card-based payment instrument acceptance  
The ObligationTo ensure that the devices, hardware, and software used in acceptance activities are compatible with card systems established by systemically important payment system operators authorized to conduct card system establishment activities, andTo ensure that payment instruments issued in compliance with these infrastructures can be used at the businesses to which it provides services.  
 
Who is ObligatedBusinesses  
The ObligationThe business is obliged to provide necessary support for the work on the compatibility of the payment infrastructure provided by the PSP with the relevant card systems and business usage. The Central Bank of The Republic of Turkey (“CBRT”) is authorized to request the PSP to cease providing payment infrastructure services to any business that fails to show reasonable effort in taking the necessary measures to fulfill its obligations without a reasonable justification.  


Introduced Obligations When Providing Services to Other PSPs  
In Which CasesWhen a PSP, while having another PSP under its control, provides payment account services and infrastructure services related to payment services simultaneously to the controlled PSP as well as the other PSPs.  
Obligations of the Controlling PSP  
Obligation to Provide Services Under the Same Conditions  It is essential for the controlling PSP to offer the same type of services to the PSP it controls and to other PSPs under the same terms and conditions, and with the same fee policy.  
Obligation Not to Direct CustomersThe controlling PSP cannot direct its customers to the PSP it controls in a manner that gives an unfair advantage over other PSPs.  
Obligations of the Controlled PSP  
Obligation Not to Publicize the Control RelationshipThe controlled PSP, except in cases of interface provider status, cannot use expressions in its documents or any communication with third parties that would create the impression that it is acting on behalf of the controlling PSP.  
 
Exceptions to the Obligations  Contrary practices that may arise due to regulatory obligations and reasonable security, operational, and technical requirements.  


Changes to the License Authorization Process  
Rectifying Incomplete Information and Documentation  
Initial Application PhaseIf deficiencies in the information and documentation related to the initial notification phase are not rectified within three months from the date of notification of the CBRT letter regarding the deficiency, the application shall be deemed not to have been filed with the CBRT.  
Activity Expansion ApplicationIf deficiencies in the information and documentation related to the activity expansion process are not rectified within six months from the date of notification of the CBRT letter regarding the deficiency, the application for activity expansion shall be deemed not to have been filed with the CBRT.  
Changes Regarding Application Documentation  
Final Approval Phase DocumentThe report to be obtained on issues not directly related to information systems must be prepared by independent audit institutions listed in the Independent Audit Institutions list, which have obtained the authority to conduct independent audits from the Public Oversight, Accounting and Audit Standards Authority, including institutions of public interest.  
Informative Review Phase DocumentationThe following have been added to the documentation to be submitted in the relevant application phase: Undertakings stating that the applicant’s capital in the company is financed from their own resources and has been provided and deposited in cash, free from any collusion.Documentation related to the bankruptcy or concordat certificate obtained from the relevant trade registry office, and the document regarding the Findeks credit rating for the applicants and companies in which these persons directly own at least 33%.  
Addition of “Qualified Service” Definition
Value-Added Service Qualified Service
Services that do not fall within the scope of payment services as per the legislation but facilitate, secure, or enhance the efficiency of administrative and operational processes of legal entities and merchants, such as commercial debt and receivable management, accounting, invoicing, product, inventory, and supply management.Services that do not fall within the scope of payment services as per the legislation but facilitate, secure, or enhance the efficiency of payment services offered by supporting the financial status and financial awareness of natural persons, such as individual budget management, invoice management, account verification, and reminders regarding payments.
For Legal EntitiesFor Natural Persons
Expansion of Activity Areas for PSPs
Added ActivityLimitation of Added Activity
Provision of value-added services to legal persons and qualified services to natural persons.    Institutions with open banking licenses can offer value-added and qualified services related to both accounts held at their own institution and those held at other PSPs.   Other institutions may offer these services only in relation to the accounts held by themselves.  
Services to be provided as an interface provider within the scope of the Regulation on Digital Banks’ Operational Principles and Service Model Banking.Interface provider services cannot be offered in direct or indirect transactions related to precious metals, gemstones, and foreign currency exchange.  
Ancillary services that may increase the usage of the institution’s payment services, such as marketing and directing customers to the services of financial institutions whose activities are regulated and supervised by an authorized authority within the framework of relevant legislation.Döviz alım-satımıyla ilgili işlemlerde ilgili nitelikteki yan hizmetler sunulamaz. Ancillary services of this nature cannot be offered in transactions related to foreign currency exchange.   The qualified ancillary services to be offered by the institution cannot encompass the entire primary activity of the financial institution it serves. The institution cannot assume any role beyond what is regulated in the legislation during the provision of these services.  
Intermediary services related to the trading of processed precious metals and gemstones.The total transaction volume mediated by the institution within a month is limited to a maximum of 1% of the previous calendar year’s payment volume.
Miscellaneous Changes  
Share Acquisitions and Transfers    Share acquisitions and transfers among companies belonging to the same group that do not directly or indirectly cause any change in the shareholding ratios of the institution’s ultimate shareholders in the institution are exempt from CBRT permission.   Share transfers within this scope must be notified to CBRT within ten business days at the latest after the institution becomes aware of them.     CBRT is authorized to demand the suspension or reversal of share transfers if it determines that these transfers damage the transparent and open shareholding structure of the relevant institution in a way that prevents CBRT’s supervision.  
Regarding The Communication Sector  The upper limits for payments to be intermediated by the IT or electronic communications operator have been increased from TRY 500 to TRY 1000 per transaction and from TRY 1250 to TRY 2750 per month for the total monthly expenditure of the customer for all lines held by the customer with the relevant electronic communications operator.   Additionally, the waiting period for service suspension from the final payment date of the bills has been increased from 15 to 30 days, and the waiting period for not opening the service for 1 year has been increased from 1 month to 60 days.  
Representatives    In each case where the representative relationship is terminated by the institutions, a separate list will be created within the Payment and Electronic Money Institutions Association of Turkey (“TÖDEB”) regarding the persons whose representative relationship has been terminated. These persons will be included in this list for five calendar years, and those whose representation relationship is terminated for non-commercial or non-technical reasons will be specifically indicated in the relevant list.   The TÖDEB list will publicly display the trade name, address and internet address of the institutions and the MERSIS number, field of activity, address and website address, if any, of the representative, including sole proprietorships.  
Risk Management PersonnelIt is stipulated that at least one of the risk management personnel within the institution must be a full-time employee of the institution.  
Change of Title NotificationChanges in the titles of institutions will no longer be subject to CBRT’s approval but must be notified to CBRT within 20 business days following the completion of the change process.  
Inclusion of the Collateral Amount in Equity DeductionThe collateral amounts that institutions will deposit with the CBRT under the legislation will also be taken into account as a deduction item in the equity calculation. However, it is stated that payment and electronic money funds cannot be used as collateral. In addition, if the criteria taken into account in determining the collateral amounts are not met individually, the collateral amount will be increased by 25%, if not met collectively, by 100%.  
Amendments Related to EquityAmounts of capital and shares held in banks will no longer be included in the equity calculation as a deduction item.   The conditions requiring that the free provisions included in the equity calculation be readily available for the institution to cover potential losses from risks, be clearly stated in accounting records, and be approved by the independent audit institution conducting the institution’s audit, have been removed.   It is stated that the continuous and regular reporting obligation in the legislation will not replace the notification obligation to the CBRT in case the equity falls below the minimum amounts specified in the legislation.  

Amendments Introduced by the Communiqué

Subject of ChangeDescription
Creation of Audit Trails  The content of the minimum records to be kept in the audit trail recording system has been expanded to include not only the application where the access or transaction occurred, but also the communication network protocol, time and source, destination port, and IP information in the records.   In the event that the audit trail recording system stops for any reason, instead of directly prohibiting any transactions until the system is reactivated, it is now possible to ensure that the audit trails of the transactions that occurred during the downtime are recorded in the system by maintaining their security and integrity once the system is reactivated within the continuity objectives of the audit trail recording system.   Additionally, the institution is now obligated to prove that transactions conducted while the audit trail recording system was down were carried out by authorized persons and in compliance with legislation. It also has the obligation to indemnify any party that suffered damage due to these transactions.
Obligation of Care for Locality in Critical Information SystemsAn obligation has been introduced to exercise utmost care for the products and services to be procured for critical information systems and security to be produced in Turkey or for their developers to have R&D centers in Turkey, and to consider this locality as an important criterion in outsourced service procurement.   Furthermore, the condition that these providers and manufacturers have intervention teams in Turkey has been stipulated.   CBRT reserves the authority to set additional requirements for security products and other information technology elements to be used by institutions.
Exception for Data Transfers AbroadIn cases where one of the parties to the payment transaction (either themselves or their service provider) is located abroad, the institution can share the necessary data with the relevant third parties abroad, limited only to the extent required for the smooth execution of the payment transaction and in accordance with the principle of proportionality, provided that the data continues to be stored domestically, subject to the request or instruction from the customer regarding the payment transaction, and without prejudice to the obligations under Article 9 of the Law No. 6698.   CBRT may halt or impose additional restrictions on these data-sharing practices if it determines that such practices would adversely affect the development of the payments area.
Changes Related to Processes Conducted via Remote Communication ToolsIn identity verification and contract establishment processes conducted via remote communication tools, the following have been added to the minimum requirements to be fulfilled by institutions while using internet-based methods that allow for remote identity verification and verification of the person to be identified, unless a centralized structure approved by CBRT is used:
1)         Verifying the authenticity of the document used for remote identity verification and the data and information contained in the document primarily using near-field communication; testing the authenticity, integrity, wear and falsification of the document and the data and information contained in the document, especially the security elements, photograph and signature that can be visually distinguished under white light, and ensuring that the process of checking the front and back sides of the document for visual elements is recorded uninterruptedly.
2)         If verification using near field communication is not possible for any reason, ensuring the authenticity of the document and the data and information it contains is verified using optical character recognition, card reader, or other methods determined by CBRT after consulting with Financial Crimes Investigation Board (“MASAK”), testing the authenticity, integrity, wear and falsification of the document and the data and information contained in the document, especially the security elements, photograph and signature that can be visually distinguished under white light, and ensuring that the process of checking the front and back sides of the document for visual elements is recorded uninterruptedly.
3)         Recording the approval and explicit consent of the person whose identity will be verified regarding the use of biometric data for remote identity verification and that the contract process will be conducted via a remote communication tool.
4)         Following the remote identity verification or face-to-face determination of customer identity, obtaining the customer’s declaration of intent to establish the contract via an online video call or through an electronic channel after performing strong identity verification on the same electronic channel if the latter is preferred.
Information systems used in processes conducted via remote communication tools under this article are considered critical information systems.
Definition of Anonymous Prepaid InstrumentsPursuant to the amendments made to both the Regulation and the Communiqué, one of the conditions for being an anonymous prepaid instrument is to stay within the monetary limits set forth in the MASAK General Communiqué (Serial No: 5).
Definition of Near-Field Communication (NFC)Near-field communication is defined as, “a short-range wireless connection technology that enables data transmission over a magnetic field generated by either touching electronic devices together or bringing them close to each other without contact.
Transitional Provisions  
Addressee  Activity to be Conducted  Deadline
PSPs that do not provide their customers with direct online access to the payment accounts held with them    To complete integration with Interbank Card Center A.Ş. (“BKM”) within a maximum of 6 months after starting operations, having obtained the necessary permissions.31/12/2025  
Institutions that will provide digital wallet services  Obtaining the necessary licenses for services within the scope of digital wallets or ensuring compliance for institutions already providing digital wallet services.  07/10/2024  
PSPs holding payment accounts    Provision of data sharing services, the technical requirements of which have been determined, to institutions with ongoing license application process and open banking license holders by using non-standard services.  30/06/2024   (CBRT may extend this period by up to 6 months).  
Open banking institutions in the licensing application process  Provision of data sharing services, the technical requirements of which have been determined, by using non-standard services.  30/06/2024   (CBRT may extend this period by up to 6 months).            
Banks and open banking institutions      Provision of data sharing services, the technical requirements of which have been determined, by using non-standard services in relation to the payment accounts held with the PSPs that are not among the top ten participants in terms of the total number of account payment transactions realized in 2020 in Bank Payment Systems.  30/06/2024   (CBRT may extend this period by up to 6 months).  
TÖDEB  Determination of the minimum elements to be included in the receipt to be given to the customer by electronic money institutions.  31/12/2023  

Uniformity Established in the Provisions of Remote Customer Acquisition for Payment and Electronic Money Institutions

Previously, following the amendments to the Payment Services Communiqué published in the Official Gazette dated October 7, 2023 and numbered 32332, and entered into force on the same date, payment and electronic money institutions were enabled to carry out the processes of identity verification and establishment of contractual relationship with customers by using remote communication tools, and the principles regarding this were regulated in Article 22 of the Payment Services Communiqué. Paragraph 14 of the same article referred to the “Financial Crimes Investigation Board General Communiqué (Serial No: 19)” (“MASAK Communiqué“) and stated that the provisions of the MASAK Communiqué would be applied with priority.

Prior to the amendment dated November 4, 2023, although Article 4 of the MASAK Communiqué included a provision stating that obligors may use remote identification methods if they are permitted (in other legislation) to identify and establish contracts with their customers through remote communication tools, there was a hesitation as to whether the MASAK Communiqué covered payment and electronic money institutions in general.

The provision brought by the Amendment Communiqué has resolved these doubts, clarifying that the methods and measures to be used by payment and electronic money institutions in customer acquisition through remote communication tools will be based on the Payment Services Communiqué. As a result, uniformity between the regulations of CBRT and MASAK has been achieved.

You can access the text of the Amendment Communiqué here.