The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers (“Communiqué”) drafted by the Central Bank of the Republic of Turkey (“CBRT”) published in Official Gazette on 1 December 2021 and entered into force. Thus, the Regulation on Payment Services and Electronic Money Issuance, Payment Institutions and Electronic Money Institutions (“Abrogated Regulation”) published in Official Gazette dated 7 June 2014 and numbered 29043 and Communiqué on the Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions (“Abrogated Communiqué”) have been repealed.
The Law numbered 7192 Amending the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and Certain Other Laws, published in Official Gazette 22 November 2019 and entered into effect on 1 January 2020, introduced amendments to Law numbered 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Law No. 6493”). In this context,
- Initiation of payment order regarding payment account held by another payment service provider, upon request of the customer,
- Provision of consolidated data regarding one or more payment accounts of a payment service user through online platforms, by granting customer consent,
- Other transactions and services reaching the size to be determined by the Central Bank of the Republic of Turkey in the field of payments
were regulated and The field of activities have been aligned with Directive (EU) 2015/2366 of European Commission Payment Services Directive 2 (“PSD2”). In addition, the CBRT was authorized to determine the characteristics, maximum amount or rates of fees, expenses, commissions and other benefits received by a party under any name regarding a certain type of transaction within the scope of the payment service, and to release them partially or completely.
The CBRT prepared the Regulation and Communiqué based on the said regulations, and more extensive and decisive provisions were introduced in line with the PSD2.
2.1 Key Amendments
The Regulation aims to regulate the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institution“), the provision of payment services to payment service providers, and the issuance of electronic money.
Notable provisions introduced with the Regulation, which consists of 86 articles and six parts, are summarized below:
- New concepts have been defined with the regulation, including (i) prepaid instruments which are defined as a vehicle that is not linked to a payment account in any way and that has not been identified or verified, becomes usable by prepayment or loading, can be exported with or without the ability of redepositing, and allowed to be used up to the deposited balance, and (ii) competition sensitive data which is defined as any kind of quantitative data that can be associated with prices, such as fees, commissions, and interest. In addition, the widespread store network, which causes confusion as a member sub-workplace, is included in the Regulation as “legal persons that carry out retail sales under a certain brand name throughout Turkey“. It should be noted that anonymous prepaid cards, that are used anonymously, can only be used in the physical environment, online channels with a trust stamp, and for bill payments. In this way, prevention of use for illegal purposes such as illegal betting is aimed. In addition, with the exception of anonymous prepaid vehicles, it is necessary to obtain the approval of the legal representative of the minor, to record the received approval, and to establish the necessary procedures during the first issuance of prepaid vehicles to minors and the opening of electronic money accounts.
- It is aimed to facilitate the processes related to payment transactions and to prevent fraud and malicious use activities in the field of payments by materializing the definition of member workplaces that have been carried out by Institutions until today. The codes to be given to the member merchants are applied to Bankalararası Kart Merkezi A.Ş. (“BKM”).
- Intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing Institution, stored electronically, used to perform the payment transactions defined in Law No. 6493 and accepted as a payment instrument by real and legal persons other than the issuing Institution. The CBRT will determine how the secondary regulations enacted pursuant to Law No. 6493 will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money.
- The paid-in capital of the company free from all kinds of collusion which has applied for an operating license pursuant to the Regulation —as to the Abrogated Regulation— must be a minimum of
- 1,000,000 TRY for provision to provide services for mediating bill payments,
- 2,000,000 TRY to provide other payment services,
- 5,000,000 TRY to issue electronic money.
In addition, it is obligatory to keep a guarantee of
- 2,000,000 TRY for payment institutions exclusively mediating bill payments,
- 3,000,000 TRY for other payment institutions,
- 5,000,000 TRY for electronic money institutions
- The application documents requested in the Abrogated Regulation have been preserved in general and the method to be followed in the application has been uniformized with PSD2.
- Operational permit application stages were rearranged as (i) preliminary application, (ii) intelligence examination and (iii) final approval.
- 500,000 TRY shall be paid as application fee in preliminary application. This fee will not be refunded even if the application is rejected at any stage of the application process.
- In case the preliminary application is accepted, CBRT shall provide the applicant with an official document. The applicant is obliged to initiate the process for the intelligence examination phase with this document, within 6 months. After that period, the document will be invalid, and the applicant should re-apply to the CBRT.
- In case CBRT approves the application at intelligence examination stage, the applicant shall apply to CBRT for final approval within 120 days upon the receipt of the written approval. The CBRT is authorized to grant a maximum of 60 days of extension for those who missed the deadline on reasonable grounds.
- Upon the receipt of the final approval, the applicant is obliged to notify the CBRT that it will initiate its operations, as in the Abrogated Regulation.
- If the final approval is received and the application is accepted, the applicant is required to notify the CBRT that it will start operating, as in the Abrogated Regulation. However, with the Regulation, the applicant now is obliged to pay a license fee of 1,000,000 TRY in the meantime.
- Even though it is essential that even for the applications for operational permits made before the effective date of the Regulation to be processed in two stages, the CBRT may combine two stages in one for those who have fulfilled their obligations. The information and documents that were missing at the intelligence examination stage should be submitted to CBRT by 30 June 2022, for the applications made as of the effective date of the Regulation. Otherwise, the applications will be rejected.
- More detailed regulations have been set forth in comparison to the Abrogated Regulation.
- In the Abrogated Regulation, all kinds of share transfers between existing qualified shareholders were subject to permission. However, now obtaining shares representing 10% or more of the company’s capital or obtaining a shareholder’s direct or indirect shares that do not exceed 10%, 20%, 33% or 50% of the capital, and that do not create changes in the privileges of the qualified shareholders are not subject to authorization. They will only need to be reported to the CBRT.
- In the event that the shares of a legal entity that owns 10% or more of the capital of a publicly traded Institution are acquired from the stock exchange in a volume that will lead to a change in control, it is obligatory to obtain the permission of the CBRT in order to exercise the partnership rights, excluding the financial rights of the corresponding shares of the relevant Institution.
- Real and legal persons who will acquire shares for the first time are obliged to answer the question set in annex-21 of the Regulation regarding the investment rationale and how it will be managed and submit it to the CBRT.
Credit Ban and Refund
- In accordance with the Regulation, in payment transactions where the payment is made to information or electronic communication operator that acts only as an intermediary between the payment service user and the good or service provider, it was emphasized that collection of payments by reflecting the amount mediated in the payment on the invoice issued by the informatics or electronic communications operator operating as an intermediary on the invoice by the due date would not be considered as a loan.
- In cases where the fund related to the payment service or the fund equivalent of the electronic money is paid by credit card or when this fund is requested to be withdrawn, the withdrawal can be made to the same credit card account. In cases where the payment is processed and reflected on the invoice by the IT or electronic communications provider, this fund can only be withdrawn by reflecting on the invoice. In cases where the credit card or the line has been canceled prior to refund, the refund can be made into a payment account opened in the depositor’s name. These provisions aim to prevent money laundering through payment systems.
Cooperation with Foreign Payment Service Systems
- Further regulations with regards to cooperation with foreign payment service systems (“PSS”) have been introduced, including that (i) these kind of cooperations can be made in cases where one of the parties to the payment transaction is abroad, (ii) the foreign PSS cannot be the face of the service, and (iii) that all kinds of responsibility will primarily belong to the domestic Institution. In this context, it has been made mandatory for the foreign PSS to apply to the CBRT and foreign PSSs which currently fall within this scope, must apply to the CBRT within 6 months and obtain operational permit.
- It was already regulated in Law No 6493 and Abrogated Regulation that payment Institutions can carry out their payment services through representatives on electronic or physical channels. With the Regulation, the provision with regards to the representation is detailed, and the documents that will be requested from the candidates to be used in the evaluations regarding the representative candidates are listed, and the representation agreement was standardized.
- The one-year period for signing and implementation of the framework representation agreements to be determined by the Association of Payment and Electronic Money Institutions of Turkey (“Association”). Representation agreements signed before the Regulation entered into force will remain in effect as long as they meet the minimum requirements.
- Institution representatives must be registered in the list in the electronic environment to be created by the Association. This registration must be carried out within 15 business days from the signing of the agency agreement, and it will not be possible for Institutions to provide payment services through their unregistered representative.
Regulations regarding Closed-Circuit and Commercial Representative Exemption
- For parties benefiting from the closed-circuit and commercial representative exemption, if the transaction volume over the last 12 months exceeds 50,000,000 TRY, it is obligatory to report in accordance with the CBRT’s criteria in January of each year. If it deems necessary, the CBRT has the authority to request that the transactions here be ceased or to be carried out through institutions that have an operational permit.
- The identifier is defined as a combination of numbers, letters, or symbols specific to the customer to identify his/her identity and distinguish him/her from other users by the payment service provider. As a rule, payment transactions made in accordance with the identity specified by the sender are deemed to have been carried out correctly. Even if additional information is provided to the identifier by the customer, the payment service provider will be responsible for making the payment transaction only with the identifier. Since the situations in which simplified identification, enabled by Financial Crimes Investigation Board General Communiqué No: 5, can be made are very limited, many Institutions will now carry out identification proceedings either face-to-face or according to the remote identity verification arrangement that is expected to be released in the future.
Payment Order Initiation Service and Account Information Service
- The provisions within this field have been added to field of activity with Law No. 6493 in order to be aligned with PSD2 with regards to open banking activities. CBRT will regulate the technical and operational requirements.
- Payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the Institutions have the right to issue a payment order initiation service (“PIS”). In case of initiation of payment through the PIS provider, the Institution holding the sender’s payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the Institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts, and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider.
- The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) in addition to the technical and operational requirements to be complied with by the parties are determined by the CBRT. Compliance with the technical and operational requirements of the CBRT is audited through technical control and evaluation process to be carried out by BKM. Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website, and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the CBRT.
- The payment funds being lent in overnight interest in the bank where the protection account is held does not constitute a violation of the regulation that the payment funds can only be used for the purpose of realizing the payment transaction. However, the same regulation does not applied to electronic money accounts.
2.2 Transition Period
This Regulation entered into force as of 1 December 2021, the date of publication in the Official Gazette. The key matters in compliance with the Regulation, regulated under provisional article-1, are as follows:
- Institutions operating as of the date of entry into force of the Regulation are obliged to harmonize with the Regulation within one year from the date of publication.
- As of the date of entry into force of the Regulation, new representation agreements cannot be made with persons engaged in the purchase and sale of processed precious metals and precious stones operating under names such as jewelers, money changers, and jewelry makers. Representation agreements made before the Regulation enters into force will continue to be valid until the expiration date of the agreement. They cannot be renewed on the expiration date, and will expire on 31 December 2022 at the latest in any case.
- As of the effective date of this Regulation, the Institution can acquire shares in companies that
- Issue electronic money,
- Provide payment services,
- a) Secure and expedite the activities of the payment service providers, b) Provide ancillary payment services such card data processing, prevention of misconduct and fraud, c) Provide trainings and consultancy on payment services, d) Provide services in transaction execution related to prepaid instruments, electronic money issuance or payment services, e) Provide ancillary payment services securing and expediting the activities of the payment service providers, such as the card data processing, prevention of misconduct and fraud, as well as training and consultancy on electronic money issuance or payment services,
- Provide information services with regards to other accounts held by payment service providers and not deemed payment accounts.
Otherwise, they are obliged to take the required measurements to comply with the Regulation by 31 December 2022.
- Legal persons who issue intangible assets that can be considered as electronic money and who fall into the electronic money institutions category under Law No. 6493 yet do not have an operational permit, are obliged to apply to the CBRT and obtain the necessary permit within 1 year from the publication of the Regulation.
- As of the effective date of the Regulation, if the cooperation has been established between a legal entity residing abroad and an institution, the entity residing abroad must apply to CBRT within 6 months and obtain permit. Otherwise, the institution will be obliged to terminate the cooperation.
- Within the framework of Law No. 6493, companies offering payment order initiation service with regards to the payment account at another payment service provider upon the request of the payment service user or providing services, by granting customer consent, for consolidated data regarding one or more payment accounts of a payment service customer at the payment service providers to be displayed on online platforms, are obliged to apply to the CBRT for an operational permit, as of the publication date of the Regulation. If the application process cannot be finalized due to a reason originating at BKM end, CBRT will issue a probationary permit. The operational permit will become final once the BKM approved that the deficiencies are remedied.
- In addition, unless appropriate approval is received within 6 months from the effective date of the Regulation for mobile phone subscriptions that are open to payment services, excluding those opened in accordance with the Regulation as of the date of entry into force of the Regulation, they will be made close to the services listed in subparagraph (d) of paragraph 1 of article 4.
- For operational permit applications made before the effective date of the Regulation, only the provisions regarding shareholders equity liability, collateral liability, the protection of payment funds and the protection of funds collected in return for electronic money shall be applied. The Abrogated Regulation shall be applied to these applications.
- BKM will establish new registration system for the member workplaces by 30 June 2022. The CBRT is authorized to extend this period not to exceed 6 months.
3.1. Key Amendments
The Communiqué aims to regulate the procedures and principles regarding the management of the information systems Institutions use in the conduct of their activities and their auditing by authorized independent audit firms, and the data sharing services of the payment service providers in the field of payment services.
Compared to the Abrodaget Communiqué, the Communiqué regulates the issues with regards to information technologies in a more technical and detailed fashion. It can be said that these are almost paralleled with the Regulation on Information Systems of Banks and Electronic Banking Services.
Notable provision introduced with the Communiqué, which consists of 5 chapters and 34 articles, are summarized below:
- In the Communiqué, it is ensured that systems with sensitive customer data or customer information are in the private internal network and cannot be accessed directly from the internet in any way. The Communiqué regulates that Institutions should create policies and procedures in writing and take necessary measures to ensure the confidentiality and security of sensitive customer data and customer information that they acquire during the execution of their activities and process, transmit or store through information systems, and to prevent leakage outside the Institution. In addition, the rules regarding the realization of identity verification in a secure way have been directly envisaged.
- Regulations regarding the establishment of an adequate and effective identity verification system for use in transactions performed in information systems are included, and the rules for the secure realization of identity verification have been laid down.
- As per the Communiqué, Institutions must establish secondary centers and systems and periodically test them to ensure the uninterrupted continuation of their activities. In addition, outsourcing is allowed, subject to the supervision of the CBRT.
- The customers who will receive the services offered by the Institutions must be explicitly informed about the conditions, risks, and exceptional situations related to the services. The procedure and the mandatory content of the information are also regulated. In addition, the Communiqué includes mandatory provisions, security measures, and regulations on unmanned service points in the contracts that Institutions will make with workplaces and representatives. It is obligatory for Institutions to have their primary and secondary systems and data backup centers in Turkey. Furthermore, the Communiqué regulates issues related to remote customer identification.
- The issues related to data sharing have been regulated, and the legal framework for the service of provision of consolidated information regarding one or more payment accounts on online platforms on the payment account in another payment service provider has been clarified. Within the scope of the relevant regulations, the account service provider (“ASP”) provides the data sharing services to the AIS provider and the PIS provider by making the necessary connections within the scope of the said activities. ASP connects to the BKM API Gateway and provides the necessary infrastructure to all other authorized payment service providers requesting AIS and PIS regarding the payment accounts it holds. With the account information service, ASP fulfills the requests within the scope of PIS without delay.
- In addition, payment service providers that are among the top ten participants in terms of the total number of account payment transactions carried out in the CBRT Payment Systems fulfill their obligations to provide infrastructure for PIS and AIS within 1 year, following the completion of the period stipulated by the CBRT. Finally, data sharing services, the technical requirements of which are determined by the Communiqué, may continue to be provided using non-standard services for 1 year from the date of the Communiqué’s publication.
3.2 Transition Period
This Communiqué entered into force on 1 December 2021, the date of publication in the Official Gazette.
Institutions operating as of the date of entry into force of the Communiqué are obliged to harmonize with this Communiqué within 1 year from the date of its publication.
Data sharing services, technical requirements of which have been determined, may continue to be provided using non-standard services for 1 year following the publication of the Communiqué. The CBRT is authorized to extend this period not to exceed 6 months.