Fintech Law: Türkiye - Part 2

Regulation

i. Licensing and Marketing

A comprehensive scope of financial services and activities is regulated under Turkish legislation. Financial institutions are obliged to obtain authorisation from relevant regulators (i.e., the CBRT, the Capital Markets Board (CMB) and the Treasury) to be incorporated and to conduct financial activities. As per Law No. 6493, licensing requirements apply in all cases that involve the provision of payment and e-money services. Payment services and e-money services can only be offered if the provider is granted a licence by the CBRT.

Pursuant to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, requirements for applications for operation permits are subject to a two-stage evaluation: an informative investigation stage and a final stage.

The corporate name of the company applying for an operation permit is required to contain phrases showing that it is a payment institution or an e-money institution, and the application fee for the authorisation permit is determined as 500,000 Turkish lira. Furthermore, pursuant to the Communiqué published by the CBRT, which entered into force as of 27 June 2024, the amount of the paid-in capital of the company, free from collusion, has been increased to 10 million Turkish lira for payment institutions providing intermediary services for invoice payments exclusively, to 20 million Turkish lira for other payment institutions, and 55 million Turkish lira for electronic money institutions. Furthermore, according to the Regulation, institutions are required to pay a licence fee of 1 million Turkish lira upon receipt of the operation permit.

As regards the sale and marketing of financial services and products, the CMB's Communiqué on Principles on Investment Services and Activities and Ancillary Services (No. III-37.1) and the Banking Regulation and Supervision Agency (BRSA)'s Regulation on Banks' Procurement of Support Services impose certain restrictions on financial service providers as well as vendors providing the sale and marketing of financial services in Türkiye.

The automated digital advisory is not regulated under Turkish legislation; however, if the advisory services to be carried out are in relation to a regulated financial activity, regardless of its form, either digital or in person, these advisory activities may be subject to an authorisation or an exemption, depending on the type and content.

In terms of asset management companies, the Regulation on the Establishment And Operating Principles of Asset Management Companies and Transactions Regarding the Receivables to be Taken Over sets forth that asset management companies must obtain authorisation from the BRSA prior to their establishment to carry out their activities, and the paid-in capital, free of all kinds of collusion and in cash, may not be less than 50 million Turkish lira.

Providing credit references or credit information services in Türkiye is a regulated activity under Law No. 5411; however, this does not directly apply to the fintech sector.

ii. Cross-border issues

Pursuant to Turkish legislation, a licence to provide financial services in Türkiye may only be obtained if the company is governed by Turkish law. However, pursuant to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, fintech companies may cooperate with institutions abroad when providing financial services.

A fintech company is required to be incorporated and licensed in the local Turkish jurisdiction by the CBRT. The requirement also applies to companies that provide cross-border services and products, and whether the products are actively marketed, or the client in the jurisdiction solicits the service or product, is not relevant.

The Regulation allows cooperation with legal entities residing abroad that have obtained permission from the CBRT, in line with their objectives or operations. However, the foreign legal entity in question must also be authorised to provide payment services or issue electronic money by the relevant authorities of the country in which its headquarters are located. The legal entity residing abroad, with which the cooperation is made, may not be exposed as the face of the service alone to the customer.

Furthermore, pursuant to the MASAK Regulation, branches, agencies, representatives, commercial proxies and similar affiliated units in Türkiye will be deemed liable for cryptoasset service providers headquartered abroad.

Pursuant to the Turkish Direct Foreign Investment Law (Law No. 4875) and Law No. 5411, there are no restrictions or limitations on the ownership of companies by foreigners. On the contrary, direct foreign investments are promoted through Law No. 4875.

Digital identity and onboarding

There is no general regulation regarding digital identity in Turkish legislation. However, there are separate pieces of legislation concerning the elements of electronic capture and storage attributes or credentials that may uniquely identify a person and create a digital identity.

The Electronic Signature Law (Law No. 5070) lays out the principles of digital identification. The Communiqué on Electronic Signature and Relevant Procedures and Technical Criteria also sets a technical basis regarding the electronic signature that may be used in the creation of a digital identity.

Relevantly, the term 'open banking' is defined in the Regulation on Banks' Information Systems and Electronic Banking Services, published in the Official Gazette dated 15 March 2020, which entered into force on 1 January 2021. In this context, open banking services are now used for digital identity.

In the press release dated 1 December 2022 of the CBRT, it was announced that the CBRT launched open banking services, which is another important component of the digital economy roadmap of its Liraisation Strategy. Currently, six banks have started to provide services through the 'Open Banking Gateway' (GECIT) infrastructure developed by the Interbank Card Centre (BKM), which enables standard open banking transactions to be offered to the parties. In addition, CBRT published Guidelines for Data Sharing Services in Payment Services on 30 December 2022 and detailed information technology development-related rules have been determined for payment institutions.

The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in the Electronic Environment, drafted by the BRSA determines remote identification methods within the scope of the Regulation on the Principles of Operation of Digital Banks and the Regulation on Service Model Banking published in the Official Gazette dated 29 December 2021 and numbered 31704. The Regulation Amending the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationships in the Electronic Environment (Amending Regulation) stipulating the remote identification methods that can be used by banks when acquiring new customers and verifying customer identity, and regulations on remote identification transactions by persons with disabilities entered into force on 1 June 2023. The Amending Regulation enables the use of artificial intelligence based systems for remote identification.

Pursuant to Article 6/A of the Regulation on the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism by the MASAK Regulation, if the legislation pertaining to the obliged party's main field of activity allows for the establishment of a contract with methods that will allow the verification of the customer's identity without face-to-face contact with the customer, remote identification methods may be used to verify the identity of the customer in the establishment of a permanent business relationship with real persons. The Ministry of Treasury and Finance is authorised to determine the methods and measures that can be used. In accordance with the Financial Crimes Investigation Board General Communiqué (No. 19), published in the Official Gazette dated 30 April 2021 and numbered 31470, remote identification tools such as informatics or electronic communication devices can be used within the methods determined for obliged parties. For remote identification, there is no restriction on whether the customer is a Turkish citizen and there is no limitation on transactions in which it can be used. Notably, the monetary limit regarding customer identification, including digital identification by fintech companies in terms of electronic transfers, is 15,000 Turkish lira as of 16 June 2023.

The press release dated 29 December 2022 of the CBRT announced that the first payment transactions on the Digital Turkish Lira Network were successfully carried out within the scope of the first phase of the Digital Turkish Lira Project. On 31 December 2023, the CBRT published the Digital Turkish Lira Phase 1 Evaluation Report. According to the report, digital money system has been defined as the component where transactions are finalised and recorded. In Phase 1, the digital currency system was envisioned as a retail payment system in which all participants have a separate account.

There is no general regulation regarding digital identity in Turkish legislation. However, there are separate pieces of legislation concerning the elements of electronic capture and storage attributes or credentials that may uniquely identify a person and create a digital identity.

The Electronic Signature Law (Law No. 5070) lays out the principles of digital identification. The Communiqué on Electronic Signature and Relevant Procedures and Technical Criteria also sets a technical basis regarding the electronic signature that may be used in the creation of a digital identity.

Relevantly, the term 'open banking' is defined in the Regulation on Banks' Information Systems and Electronic Banking Services, published in the Official Gazette dated 15 March 2020, which entered into force on 1 January 2021. In this context, open banking services are now used for digital identity.

In the press release dated 1 December 2022 of the CBRT, it was announced that the CBRT launched open banking services, which is another important component of the digital economy roadmap of its Liraisation Strategy. Currently, six banks have started to provide services through the 'Open Banking Gateway' (GECIT) infrastructure developed by the Interbank Card Centre (BKM), which enables standard open banking transactions to be offered to the parties. In addition, CBRT published Guidelines for Data Sharing Services in Payment Services on 30 December 2022 and detailed information technology development-related rules have been determined for payment institutions.

The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in the Electronic Environment, drafted by the BRSA determines remote identification methods within the scope of the Regulation on the Principles of Operation of Digital Banks and the Regulation on Service Model Banking published in the Official Gazette dated 29 December 2021 and numbered 31704. The Regulation Amending the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationships in the Electronic Environment (Amending Regulation) stipulating the remote identification methods that can be used by banks when acquiring new customers and verifying customer identity, and regulations on remote identification transactions by persons with disabilities entered into force on 1 June 2023. The Amending Regulation enables the use of artificial intelligence based systems for remote identification.

Pursuant to Article 6/A of the Regulation on the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism by the MASAK Regulation, if the legislation pertaining to the obliged party's main field of activity allows for the establishment of a contract with methods that will allow the verification of the customer's identity without face-to-face contact with the customer, remote identification methods may be used to verify the identity of the customer in the establishment of a permanent business relationship with real persons. The Ministry of Treasury and Finance is authorised to determine the methods and measures that can be used. In accordance with the Financial Crimes Investigation Board General Communiqué (No. 19), published in the Official Gazette dated 30 April 2021 and numbered 31470, remote identification tools such as informatics or electronic communication devices can be used within the methods determined for obliged parties. For remote identification, there is no restriction on whether the customer is a Turkish citizen and there is no limitation on transactions in which it can be used. Notably, the monetary limit regarding customer identification, including digital identification by fintech companies in terms of electronic transfers, is 15,000 Turkish lira as of 16 June 2023.

The press release dated 29 December 2022 of the CBRT announced that the first payment transactions on the Digital Turkish Lira Network were successfully carried out within the scope of the first phase of the Digital Turkish Lira Project. On 31 December 2023, the CBRT published the Digital Turkish Lira Phase 1 Evaluation Report. According to the report, digital money system has been defined as the component where transactions are finalised and recorded. In Phase 1, the digital currency system was envisioned as a retail payment system in which all participants have a separate account.