Turkey's Central Bank adopts new secondary legislation on payment services and e-money

Turkiye

On 1 December 2021, the Central Bank of the Republic of Turkey (CBRT) published the "Regulation on Payment Services, E-Money Issuances and Payment Service Providers" (Regulation) and the "Communiqué on Information Systems of Payment and E-Money Institutions and Data Exchange Services of Payment Service Providers in the Field of Payment Services" (Communiqué) in the Official Gazette (numbered 31676).

The Regulation entered into force on the date of publication.

General information about the Regulation

The purpose of the Regulation is to lay down the procedures and principles for the authorisation and operation of payment institutions and electronic money institutions, the provision of payment services and the issuance of electronic money.

The Regulation repealed the former “Regulation on Payment Services and the Issuance of Electronic Money, Payment Institutions and Electronic Money Institutions" of 27 June 2014.

Newly introduced concepts

The Regulation introduces two (2) new terms by defining a "prepaid instrument" and an "anonymous prepaid instrument" as follows:

  • A prepaid instrument is a payment instrument that does not physically exist and whose funds can be used for payments; it is paid in advance to the payment service provider issuing the payment instrument and allows the funds to be used for payment services up to the amount paid.
  • An anonymous prepaid instrument is a prepaid instrument that is not linked in any way to a payment account and has not been identified or verified; it becomes usable by prepayment or top-up; it may be issued with or without a top-up facility; and it may be used up to the top-up balance.

Another important provision of the Regulation relates to the conditions for electronic money. In order for intangible assets distributed via the digital network to be accepted as electronic money, the following conditions have been introduced:

  • Issued only in exchange for fiat currency at a 1:1 ratio;
  • Issuance against funds accepted by the issuing institution;
  • Electronic storage;
  • Payment transactions within the meaning of the legislation;
  • Acceptance as a means of payment by natural and legal persons other than the issuing institution.

Given this definition, it is to be expected that cryptocurrencies and crypto-assets based on assets other than fiat money will not be accepted as electronic money, as is currently the case.

The definition of "competitively sensitive data" is introduced and refers to all types of quantitative data that can be linked to price, such as fees, commissions and interest.

Operating licence

The title of the company applying for an operating licence must contain a reference to the fact that it is a payment institution or an electronic money institution. The paid-up capital of these undertakings, which are not allowed to collude, must be at least TRY 1 million (approx. EUR 64,000) for payment institutions providing bill payment intermediation services, at least TRY 2 million (approximately EUR 128,000) for the provision of other payment services and at least TRY 5 million (approximately EUR 320,000) for the issuance of electronic money. Further, according to the Communiqué on Re-determination of Minimum Equity Amounts of Payment and Electronic Money Institutions published by the CBRT on 22 January 2022, as of April 1, 2022, the minimum capital requirements for these institutions will be TRY 5.5 million (approx. EUR 352,000), TRY 9 million (approx. EUR 576,000) (except for institutions providing consolidated account information of payment service providers on online platforms) and TRY 25 million (approx. EUR 1.6 million), respectively.

In addition, payment institutions providing bill payment intermediation services must deposit a minimum security of TRY 2 million (approximately EUR 64,000>), other payment institutions TRY 3 million (approximately EUR 192,000) and e-money institutions TRY 5 million (approximately EUR 320,000) with the CBRT.

According to the Regulation, applications for operating licences are submitted to the CBRT in two stages: the information check and the final licence.

Persons who do not have an operating licence prior to the entry into force of the Regulation and who issue assets that can be considered as e-money and therefore fall within the definition of e-money under the applicable legislation must submit an application for an operating licence to the CBRT by 1 December 2022. For applications submitted prior to the entry into force of the Regulation, missing information and documents to be submitted at the intelligence review stage should be submitted to the CBRT by 30 June 2022 at the latest. Otherwise, the applications will be rejected.

Transactions that institutions cannot carry out

According to the Regulation, foreign exchange transactions cannot be conducted if both parties to the transaction are located in Turkey and use payment service providers located in Turkey. However, provided that one of the parties to the transaction is resident abroad and other conditions specified in the Regulation are met, the institution may conduct foreign exchange transactions limited to the provision of payment services only.

Within the framework of the credit ban, the institutions are also not allowed to grant loans or to carry out advertising and marketing activities that give the impression of granting a loan. Furthermore, brokerage amounts may not be paid in instalments.

Provision of services with foreign legal entities

According to the relevant provisions of the Regulation, payment and e-money institutions established in Turkey may cooperate with legal entities established abroad, which must obtain authorisation from the CBRT to do so, depending on their purpose or activity. However, the scope of this cooperation is limited only to payment services where at least one of the parties to the transaction (i.e. sender and recipient) is located abroad. In this case, the institution provides the payment services within the scope of the legislation to its domestic clients together with the foreign resident legal entity.

In addition, the foreign-based legal entity must not be the only visible face of the service to the customer (i.e. it must not use its own trademarks and logos in all types of documents, advertising or public statements in a way that gives the impression that it has obtained a domestic operating licence, and it must not set up a website to address domestic customers).

Finally, the legal entity established abroad must be authorised to provide payment services or issue electronic money by the competent authorities of the country in which it has its registered office.

Foreign legal entities cooperating with institutes must apply to the CBRT for approval within a maximum of six months after publication of the regulation.

Representation

The Regulation clarified the provisions on representation, introduced restrictions on the choice of representatives and strengthened controls on representatives. Without prejudice to the institutions' due diligence obligations when selecting agents, payment services may be processed through agents by electronic or physical means.

In addition, the representatives must be registered in the list electronically prepared by the Association of Turkish Payment and Electronic Money Institutions (Türkiye Ödeme ve Elektronik Para Kuruluşları Birliği). The documents to be requested from the candidates for representation and the points to be considered in the representation contract are also specified in the regulation.

Structure of the company

The regulation also contains provisions on the organisation's board of directors and senior management, the required qualifications of the managing director, notification of changes in management, mandatory internal control, risk management, independent audit, reporting, business continuity plan and information systems management and audit mechanisms.

Other

Payment service providers are required to inform customers by producing an electronic or physical information form that contains the rights of consumers in relation to their activities in clear and easily understandable language and is designed to be easily read.

In addition, the Regulation contains provisions on customer consent, the obligation to keep data in the country and the implementation of the Law on Protection of Personal Data No. 6698, as well as the conditions under which the payment service provider can access, use and store data on payment service activity.

General information on the Communiqué

The Communiqué was issued to regulate the procedures and principles relating to payment service providers' data sharing services and the management and auditing of information systems used by payment institutions and electronic money institutions by approved independent auditing bodies.

Before making significant changes to information systems, institutions are required to conduct a comprehensive risk assessment of information systems at least once a year. Institutions are also required to prepare a report on this assessment, together with remedial actions, to be submitted to the CBRT by the end of January each year.

In addition, institutions are required to inform their customers and the Personal Data Protection Board as soon as possible if a cyber incident occurs that results in the disclosure of sensitive customer or personal data, or if personal data unlawfully falls into the hands of others.

Sensitive customer information cannot be disclosed to external service providers and parties other than the authorities expressly authorised by the relevant law, without prejudice to permitted cases. Customer information can only be disclosed to parties other than those expressly authorised by the relevant law, provided that customers are made aware of the limits of disclosure and that their express consent is obtained. In addition, the client's express consent must be obtained through secure methods provided for in Law No. 6698.

Institutions are required to establish an audit trail recording system to track physical or logical access to customer information and information systems, unauthorised access attempts and activities in information systems.

In order to ensure the uninterrupted continuation of their activities, the payment and e-money institutions are obliged to set up and regularly test the "secondary data center and its systems". These must ensure that the secondary systems are accessible and operational, that staff can work and that these systems do not pose the same risks as the primary centre.

For more information on the new Payment Services, E-Money Issuance and Payment Service Providers Regulation and the Communiqué on Payment and E-Money Institutions' Information Systems and Payment Service Providers' Data Exchange Services in the field of payment services, please contact your CMS client partner or your local CMS expert: Dr. Döne Yalçın and Alaz Eker Ündar.