On 30 December 2022, the Central Bank of the Republic of Turkey (“CBRT”) published the Guideline on Data Sharing Services in Payment Services, which examines data-sharing services in payment services (“DSSPS”) included in the scope of open banking (i.e. when the customer has provided the third party provider with access to the data in the financial system). To this end, the Guideline assesses common business models for payment-initiation and account-information services (also regarded as DSSPS) regarding whether these models require an operating licence, and offers guidance on the licensing and technical certification process for these payment services.
It should be noted that the assessments in the Guideline provide a general framework, and final assessments will be made according to the characteristics of each business model after an official application to the CBRT.
Account information services
Pursuant to Law Numbered 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, an account-information service is defined as providing consolidated information on one or more payment accounts belonging to the payment service user with payment-service providers on online platforms if the payment-service user has consented to this.
The licensed account information service providers (“AISP”) compile information on the payment service user's accounts with different account servicing payment service providers (“ASPSP”) and make it available to their users in aggregated form on online platforms.
Account information services business models
The Guideline examines three business models regarding account information services:
- In a scenario where a payment institution transfers account activities information obtained from different ASPSPs (e.g. banks and electronic money institutions) via its own infrastructure to the account holder (e.g. payment service user, customer) based on one-to-one contracts with these ASPSPs and being technically/legally/administratively responsible to the ASPSPs, this business model will be considered an account information service, and therefore the payment institution will need to obtain an operating licence from the CBRT.
- In a scenario where the customer accesses its account activities with the ASPSP (e.g. the bank) through its authorised IP, using methods such as web services, and transfers the information obtained on its accounts to a technology company with the ASPSP providing the information to the authorised IP via the web services based on the contract concluded with the customer, the service in this business model will not be considered an account-information service or a payment initiation service.
In this model, the technology company provides the customer with consolidated "technical services" after the customer transfers the information on its account activities to the technology company. According to the Guideline, the service provided by the technology company in this model is considered services provided by technical service providers that support the provisioning of payment services (e.g. processing, storing, securing, protecting the confidentiality of, and verifying data, as well as the provision and maintenance of information technology, communication networks and tools used for payment services) where the technical service providers do not own the funds transferred at any point in the transaction within the scope of the Law.
- In a scenario where the account holder integrates white label software, which would consolidate all web services of all the ASPSPs with which it has accounts, with its own system by purchasing or obtaining a licence from a technology company (i.e. an external service provider), this business model will not be considered an account information service or a payment initiation service. In this case, the ASPSPs are technically/legally/administratively responsible to the account holder, and the technology company has no responsibility to the ASPSPs.
Payment initiation services
A payment-initiation service is defined as an initiation service provided at the request of a payment service user in relation to a payment account held with another payment service provider.
The licensed Payment Initiation Service Providers (“PISP”) allows payment service users to place a payment order from a payment account with another payment service provider.
Payment initiation services business models
The Guideline examines two business models regarding payment initiation services:
- In a scenario where the payment service user (i.e. customer) has accounts with multiple ASPSPs and wishes to make payments via a payment institution that offers the opportunity to make payments through accounts with multiple ASPSPs, the payment institution through which these transactions are carried out will be qualified as a payment initiation service provider, and is required to obtain an operating licence from the CBRT for the service provided. In this business model, the payment initiation service provider enters into separate contracts with, and is administratively/technically/legally responsible to, the payment service user and the ASPSPs.
- In a business model where customers store their bank cards in a digital wallet offered by a payment institution and transfer funds from their cards in this digital wallet to the account of a workplace, which has a contract with the payment institution, the payment flow will be considered a payment initiation service and the payment institution will be required to obtain an operating licence from the CBRT.
Payment institutions providing account information services and payment initiation services are required to obtain operating licences from the CBRT. It is possible for institutions to apply for licences for these two services separately or at the same time since one is not a pre-requisite for the other.
Evaluations on frequently asked questions
- The Guideline indicates that the online account statement sharing services of banks will be considered as account information services and companies providing such services must obtain a licence for account information services.
- The Guideline explains that in fund transfers listed with account information services, identity information of the sender, which qualifies as sensitive personal data, and counterparty information will be masked.
- The Guideline underlines that if the customer's consent period expires for the processing of account information by the institutions providing payment services or if the customer revokes consent, this data may continue to be stored with the customer's consent. In addition, in case of termination of the relationship between the customer and the institution, data other than audit trails, which must be kept confidential and intact for the period required by the regulations, must be deleted.
The Guideline examines common business models in account-information services and payment-initiation services and exemplifies scenarios in which operating licences should be obtained. The Guideline is expected to clarify the questions of companies providing open banking services regarding the DSSPS licensing requirement.
For more information on the new Guideline or its impact on your business, contact your CMS partner or local CMS expert: Dr. Döne Yalçın.