Secondary Legislation Assessments on Payment Services and Electronic Money Institutions

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (‘Regulation’) and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (‘Communiqué’), which are the secondary legislation regulations of the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (‘Law’), entered into force on 01.12.2021.

The Regulation and the Communiqué were designed to determine the future of the FinTech sector, and the workflow culture and open banking rules at all essential points from the birth to the development of payment and e-money institutions have been established with provisions that are mostly rewritten compared to the abrogated legislation they are the successors of. In this respect, the Regulation and Communiqué can be considered as the new constitutional texts of the sector.

Operating Licence Processes & Related Obligations

It is observed that the process for institutions and organisations (‘Institutions’) to operate as payment and e-money institutions to obtain an operating permit from the Central Bank of the Republic of Turkey (‘CBRT’) has been rewritten within the scope of Article 11 of the Regulation in comparison to both the abrogated legislation and the draft regulations. In this context, a ‘preliminary notification and preliminary preparation’ process is envisaged, which is different from the usual practices in Turkish legislation for obtaining an operating licence from a higher authority, and the Institutions that pass this process by obtaining the CBRT’s notification approval are expected to complete the ‘intelligence review’ and ‘final approval’ stages.

Preliminary Notification Phase: At this stage, the institutions are requested to submit the Regulation annexes consisting of the draft articles of association for the establishment of the company, the operating licence application petition, and the application forms of real and legal person qualified shareholders. In the preliminary notification application, an operating licence application fee of TRY 500 thousand and BITT tax will have to be paid.

Main Outputs: The preliminary notification stage is the stage where the trade registry registration and company establishment have not yet been officially completed. In this sense, the CBRT reviews the draft articles of association and checklists, such as the scope of activities and the formal qualifications required to be included in the trade name, indicating that the institution is a payment and e-money institution, on behalf of the institution seeking to obtain an operating licence, and provides the infrastructure for the intelligence examination phase. Annex-11-A/B/C/D of the Regulation are the necessary documents referred to at this stage. The pre-notification stage is the stage where the real person background and registry searches are carried out in detail, and it can be said that it is important for the regulatory authority’s practical examination to have a small number of partners/legal entity partners for organisations that will be included in the ecosystem with a new company.

Intelligence Review Phase: Within 6 months following the approval of the preliminary notification, the process should be continued by completing the necessary documents and application list. At this stage, in addition to the pre-notification documents mentioned above;

Decision of the board of directors specialised for activity authorisation processes,
Work plan and activity programme,
CPA report stating that the capital has been paid in cash and free from any kind of collusion,
Work flow and business continuity plan,
Establishment of activity and organisation programme and organisational structure,
Determination of authority, duties, responsibilities and job descriptions,
Implementation of the necessary policies and procedures in terms of corporate governance,

Such checklists are seen as important milestones. Annex 15 of the Regulation refers to the checklist of information and documents required for the intelligence review phase and may be instructive for Organisations.

Main Outputs: At this stage, the Institutions are required to be strong especially in terms of financial capabilities. Adequacy of paid-in capital and shareholders’ equity;

TL 1 million capital and TL 3 million equity for Organisations providing services for intermediation of bill payments,
TL 2 million capital and TL 5 million equity for Institutions providing other payment services
For e-money institutions, capital of TL 5 million and shareholders’ equity of TL 13 million are foreseen.

At the same time, the calculation of shareholders’ equity is re-evaluated by the CBRT in January each year, taking into account the annual changes in the price indices published by the Turkish Statistical Institute.

With respect to the protection of funds and collaterals, institutions are required to hold a minimum collateral of TL 2 million for institutions providing services for intermediation of invoice payments, TL 3 million for other payment institutions and TL 5 million for e-money institutions at the CBRT.

Final Approval Process: Within 120 (+60) days following the receipt of the approval from the intelligence review stage, the processes regarding the final approval application will be initiated. In this context;

Establishment of internal control, risk management, accounting, information systems and reporting systems,
Organising and directing the working principles of these units,
Determination of staff job descriptions, authorities and responsibilities and implementation procedures and policies of the units,
Making arrangements for security incident monitoring and customer complaints and satisfaction procedures,
Conducting KVKK compliance operations, structuring human resources and labour law processes, preparing confidentiality agreements and other related procedures,
Preparation of reports on the physical and qualification status determinations requested for the office to be used in the activities,

They are seen as important milestones. Annex-16 of the Regulation refers to the checklist of information and documents required for the final approval stage and may be instructive for the Organisations.

Following the final approval process, the deficiencies, if any, must be corrected within 60 days, otherwise, upon payment of the operating licence fee and payment of the operating licence fee of 1 million TL, the institution will be able to start providing services to its customers as a payment or electronic money institution by making the notification of commencement of operations.

Main Outputs: When the information, documents and process management outputs requested from the institutions at the information and final approval stages are examined, it can be said that ‘internalised institutionalism’ and ‘institutional culture’ are sought. In this context, the extent to which the policies, procedures and action plans prepared in the quality management system logic are actually put into practice is one of the main issues to be controlled and confirmed by the regulatory authority, and indeed, automated business and process flow management on automated data recording systems are sought, and an approach that rejects manual excel, word or physical paper and agenda arguments is displayed.

Corporate Governance and Corporate Culture

As explained in the section above, the regulatory authority seeks institutionalisation within the institutions, which is ensured to be implemented in a systematic manner rather than on paper. The Regulation clearly defines the qualifications and duties required for the realisation of this objective under the following headings: board of directors, members and general manager, internal control, risk management, accounting, reporting and independent audit mechanisms, reporting processes to the CBRT, business continuity plan, information systems management and audit, and outsourcing.

In this context, the regulatory authority undoubtedly expects the institutions to develop an effective and efficient internal control system in order to be fair, transparent, accountable and responsible, to operate separation of powers and duties and cross-control mechanisms, and to establish a system in which trust and reputation are considered as the most important capital of the institutions and all elements that may damage this capital are eliminated. Considering the sector in which the organisations will operate and the focal area of influence, it can be said that these expectations are quite appropriate.

Highlights – General
The Regulation finalises the principles regarding ‘account information service providers’ and ‘payment order initiation service providers’ (payment triggers) and open banking principles. In addition, payment service providers are obliged to provide the services related to accounts to the requesting provider on similar terms and conditions with their other customers in the event that the account services offered are requested to be used by another payment service provider. The principles and operational and technical requirements regarding the execution of these services will be determined in the following period, and the technical service provider Bankalararası Kart Merkezi A.Ş. (‘BKM’) will determine whether uniform compliance is achieved.
Institutions may provide payment services through electronic or physical channels through an agent. The Regulation sets out the documents required to become an agent, obliges institutions to register their agents in the system of the Association of Payment and Electronic Money Institutions of Turkey (‘TÖDEB’), and stipulates that the agent agreement will be drafted by TÖDEB in consultation with the CBRT. As an important update, it has been stipulated that certain institutions, such as all foreign exchange bureaus and jewellers, cannot be representatives.
Again, the concept of ‘anonymous prepaid instrument’, which has been introduced to the literature, is defined as ‘a prepaid instrument that is not linked to a payment account in any way and has not been identified or authenticated, that becomes available by prepayment or loading, that can be issued with or without the possibility of reloading, and that is allowed to be used up to the loaded balance’. In this context, for example, anonymous meal and transport cards issued by employers to employees may be considered as anonymous prepaid instruments.
With the Regulation, payment service providers will be obliged to offer these services to other providers who request to use the payment account and infrastructure services offered, without prejudice to the obligations arising from the legislation and security, operational and technical requirements, under similar conditions with their other commercial customers, business partners and other payment service providers with whom they conduct transactions.
Institutions shall not engage in FX trading in relation to payment transactions where both parties to the transaction are resident in Turkey and used by payment service providers located in Turkey. Provided that one of the parties to the transaction is located abroad and certain conditions are met, the institution will be able to conduct foreign exchange transactions only in relation to the provision of the payment service.
In certain circumstances, payment funds and electronic money protection accounts may be blocked in order to compensate the rights of fund owners and to ensure that the institutions fulfil their regulatory obligations. In this context, it can be said that customer complaint process management and reporting systems will be very important.
Within the scope of radical consumer protection regulations, institutions are obliged to prepare an electronic/physical information form that includes the rights of consumers regarding their activities, uses clear and easily understandable language, and is designed in a way that can be easily read.
About the Communiqué

The main impact area of the Communiqué is to determine the measures to be taken in the technical projection of all corporate processes, including operational, administrative, legal and financial, regulated in the Regulation and the security of information systems of the institutions. In this context, in summary;

Personal data processing activities shall be carried out in accordance with 6698 sy. Personal data processing activities are managed and administered in accordance with the provisions of the Law on the Protection of Personal Data No. 6698,
Taking special measures for sensitive customer data,
Taking measures for access authorisation and authority/responsibility matrix and separation of powers,
Systematic monitoring and tracking of authentication processes,
Coordinated technical and administrative measures to be taken in information security, personal data security and privacy processes,
Establishment of action plan practices against cyber attacks/data breaches,
Performing vulnerability tests,
Preparation of information security and information systems business continuity strategies,
Establishment of backup centres and systems,

It can be said that their obligations have been fulfilled. Considering the professionalism and maturity levels of the organisations with respect to the requirements of the Communiqué, it would not be wrong to conclude that they should start immediately with a professional perspective and seriousness in order to fulfil their obligations.

Final Word

Although detailed sectoral regulations are not seen with the same frequency in our country, where macroeconomic and major development plans are frequently made in every period, serious steps have been taken in recent years, especially for the development of the FinTech sector. The main reason for these developments is the expectations of Generation Z from financial activities or banking services in general, and the great potential power of financial technologies to contribute to the national economy compared to the world.

The main obstacles to the development of FinTechs are the interventionist and exclusionary actions taken by the incumbents who currently hold the flag in the FinTech sector, the regulatory and legislative framework and the unique structure of the market. Regulations such as open banking and service model banking, where stakeholders or service providers can not only use each other’s services, but even ‘substitute’ each other’s services, are regulations that will further this development.

In this context, the decisive reference criterion for development is the emergence of an impact-based consumer detriment. In the following period, Tech-Fin, a world where technology companies offer financial services with a more customer and technology-oriented approach, will be discussed more, even though it is not on the agenda in the current period.