Open Banking: Integration 4.0 Part II

From Regulation to Ecosystem

Open banking, when interpreted from its first starting point with its simple definition to today with its growing ecosystem, refers to the digital transformation of the financial sector and its related dynamics. The value created by this multidirectional flow of banking functions and functions is only possible with a system that enables the production of out-of-line business models and the successful development of these models in a manageable, traceable and sustainable ecosystem.

The technical, administrative and legal details to be designed in this context will be decisive on the IT infrastructure, operational formation and corporate integrity of open banking.

As summarised in the first article of the series, in the process following the definition of open banking in Turkish legislation in line with the European Union directives, the secondary implementation legislation on the basic roles and responsibilities, obligations and licensing requirements for payment order initiation and account information service providers will be put into effect by the Central Bank of the Republic of Turkey (‘CBRT’) until 01.01.2021 in accordance with the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (‘Law’). 01.01.2021 by the Central Bank of the Republic of Turkey (‘CBRT’) pursuant to the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (‘Law’), there is still no effective regulation published as of October 2021.

Nevertheless, the Draft Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Draft Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (‘Draft Regulations’) and the obligations to be imposed on institutions and organisations providing open banking services are evaluated as follows in this article of the series:

First Step Company Establishment

Firstly, an application must be made with a draft articles of association and a petition stating that an application will be made to the CBRT regarding the activities to be carried out as a payment institution/electronic money institution (‘Institution’), and after the approval of the CBRT, the establishment of the company must be completed with a certificate from the chamber of commerce indicating that it is a payment institution/electronic money institution.

At this point, it is seen that there are some formal and qualitative requirements such as the obligation to include the phrases indicating that the title of the organisation is a payment institution/electronic money institution, and these requirements at the establishment stage are reasonable.

A Challenging Path: 1st and 2nd Stage Approval Processes

It is seen that the approval processes, which are understood to have arisen from the need for regulation of the ecosystem, are quite strict and prescriptive; all organisations that want to exist in the open banking system ‘within the scope of the legislation’ must complete these stages. In this context, in the first stage;

An activity programme and business plan should be prepared; the services/products to be offered, business model, target group, competition analysis, financial innovation development, transition to a cashless society targets should be explained in detail based on numerical data,
In this process, which is expected to be managed and administered by the board of directors of the organisation, financial audit and capital determination report should be made by authorised independent audit firms, property declaration of qualified shareholders and real person shareholders in control should be prepared and added to the application documents.

In the second stage approval process;

Establishment of service units within the organisation chart and creation of sufficient staff; establishment of internal control, risk, accounting, reporting and information systems units,
Determination of job descriptions, authorities and responsibilities for units and titles,
Taking measures for the continuity of activities, security and confidentiality of information, and establishing a structure for monitoring security incidents and customer complaints,
Information systems audit work is carried out by Independent Audit Institutions Authorised to Perform Information Systems Audit in Banks and a detailed evaluation report is prepared,
Fulfilment of the capital, collateral and minimum equity obligations specified in detail,
Obtaining the document to be obtained from the Interbank Card Centre (BKM) within the scope of compliance with the API standard to be officially announced by the CBRT,
And even the provision of information and images of the organisation’s office should be continued after the requirements are fulfilled.
From Ecosystem to Regulatory Authorities

Although the operating practices and the distribution of roles and responsibilities of the competent administrative authorities in relation to open banking are not clear, it is undoubted that the main outlines of the subject are outlined by the Law and the CBRT, to which the secondary regulation authority is attributed in the Law, is predominant and prioritised, but of course the BRSA, which is bound by the subject in terms of banking functions. In addition, it is highly probable that BKM will be included in the ecosystem as the main provider within the scope of data sharing services application architecture, in addition to the observance of uniform API compatibility. Finally, the Association of Payment and Electronic Money Institutions of Turkey (TÖDEB), which has been assigned to carry out its duties and responsibilities within the framework of the Law and to which institutions are obliged to be a member, will find its place in the process.

Obviously, it is open to debate whether the above-mentioned compulsory requirements for obtaining an open banking licence can be met by the interlocutors already in the ecosystem. Namely, the ability of an organisation to be fully ‘institutional’ in the open banking ecosystem from scratch will also depend on whether it has internalised institutionalism for a certain period of time. Otherwise, job descriptions, workflow and control processes, policies or procedures, even written with best practices, will not be able to go beyond the written form, and a corporate organisation trying to be managed in this way will not be able to build a compliance institution on its own culture.

At the same time, independent information technology and financial audits will reduce most stakeholders to the position of small players in the face of the big players conducting these audits, and may be financially and morally distracting and even unaffordable for organisations focused on fulfilling these requirements for both operational and technical security and assurance purposes. Information technology measures that require investment may be reasonable in this system, which is intertwined with regulation, but the obligation to meet these costs at the time of market entry will bring about discussions on gradual transition.

As an example, the system, which requires the mandatory provision of open banking on demand in parallel with the EU Regulations, and in this respect, tries to capture the environment of rich competition, is trying to be developed with the Draft Regulations, which envisage a customer-oriented system -and perhaps it should be-, and the indispensable licence requirements are important enough to affect the ecosystem in a fundamental way.

Living Ecosystem Method

Our new lifestyle, which emerged with the COVID-19 pandemic, has proven that digitalisation in service sectors, especially finance, is no longer a choice but a necessity. The effective and active participation of institutions to develop open banking will determine the success graph and lifespan of this ecosystem. The factor that will pave the way for this graphic and the life of the ecosystem for the regulatory authorities is to determine the measures to be implemented correctly when necessary, and to make supportive moves by following the world vision with internal and external control mechanisms.

This article was prepared by GRC LEGAL – Av. Mehmet Şahin on behalf of FINTEO, a member of FINTR.