PAYMENT SYSTEMS, DIGITAL BANKING AND CRYPTO ASSETS
Banking and payment systems are heavily regulated in Turkish Law. Banking Law No. 5411 (“Banking Law”) is the main legal document that regulates banking sector; and, the payment systems are regulated by Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Payment Law”), with their secondary legislation.
Under the Payment Law, payment system and securities settlement system can only be operated with a license acquired from the Central Bank of the Republic of Turkey (“Central Bank”). Payment system is defined under the Payment Law as “the structure that has common rules and provides the infrastructure required for clearing and settlement transactions carried out in order to realize fund transfers arising from transfer orders among three or more participants” and securities settlement system is defined as “the structure that has common rules and provides the infrastructure required for the clearing and settlement transactions carried out in order to realize securities transfers arising from transfer orders among three or more participants”.
Moreover, the following activities are defined as payment services under Article 12 of the Payment Law:
- All the transactions required for operating a payment account including the services enabling cash to be placed on and withdrawn from a payment account,
- Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider, direct debits, including one-off direct debits, payment transactions through a payment card or a similar device, credit transfers including standing orders,
- Issuing or acquiring payment instruments,
- Money remittance,
- Execution of payment transaction, where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication,
- Corresponding services enabling bill payments.
- At the request of the payment service user, the payment initiation service related to the payment account at another payment service provider.
- Upon approval of the payment service user, the online provision of consolidated information of one or more payment accounts held at payment service providers by payment service users.
- Other transactions and services reaching the level to be determined by the Bank in terms of total size or impact in payments.
According to the Payment Law, payment institutions are legal persons authorized pursuant to the Payment Law to provide and execute payment services.
As an important step the Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers (“PSR”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“DS Communiqué”) drafted by the Central Bank was published in Official Gazette numbered 31676 on 1 December 2021 and entered into force. With the PSR and Communiqué drafted based on the following amendments made in Payment Law, which was published in Official Gazette on 22 November 2019, Turkish legislation has been aligned with Directive (EU) 2015/2366 of European Commission, Payment Services Directive 2 (“PSD2”).
Moreover, digital banks are regulated under the Turkish law for the first time.
Crypto assets are, on the other hand, mainly unregulated under Turkish law, and until 2021 there was no provision directly addressing crypto assets. The very first legal document, specifically regulating crypto assets, is the Regulation on the Use of Crypto-Assets in Payment promulgated in 2021, which prohibits the use of crypto assets in payments. Non-Fungible Token (“NFT”) usage and fan token issuance has rapidly grown in Turkey. Fan tokens especially became very popular among sport teams including major league football clubs such as Fenerbahçe and Altay providing additional income.
On a further note, blockchain on its own is not regulated, but rather, governed by the rules applicable to the area where it is used.
Recent Key Developments in Payment Systems, Digital Banking and Crypto Assets
The Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers
The regulation aims to draw the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institutions”), the provision of payment services to payment service providers, and the issuance of electronic money.
The PSR regulates licensing conditions and proceedings of the Institutions One of the most critical regulations is that intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing institution, stored electronically, used to perform the payment transactions defined in Payment and accepted as a payment instrument by real and legal persons other than the issuing institution. The Central Bank will determine how the secondary regulations enacted pursuant to Payment Law will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money.
According to the PSR payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the institutions have the right to issue a payment order initiation service (“PIS”). In case of initiations of payment through the PIS provider, the institution holding the sender’s payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider.
The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) and the technical and operational requirements to be complied with by the parties are determined by the Central Bank. Compliance with the technical and operational requirements of the Central Bank is audited through technical control and evaluation process to be carried out by Interbank Card Center (“BKM”). Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the Central Bank by Institutions operating as of the date of entry into force of the PSR are obliged to harmonize with the PSR within one year from the date of publication of the PSR.
Digital Banking Regulation
As a result of the amendments made in article 76 of the Banking Law, and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks; establishing contractual relations between banks and their customers in electronic environment became possible. With these developments, Banking Regulation and Supervision Agency (“BRSA”) has aimed to construct the foundations of the digital banking model, which operates only in the digital environment. Therefore, BRSA published the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“DBR”)
The DBR aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service model (banking as a service, “BaaS”) to businesses and innovative enterprises – in other words, start-ups.
The DBR defines digital banks as “credit institutions that provide banking services mainly through electronic banking services distribution channels instead of physical branches”. Unlike the branchless banking application in Europe, the DBR allows neo banks to obtain a license to operate directly over the BaaS infrastructure, without the requirement to have a licensed sponsor bank.
Unless otherwise stated in the DBR or the relevant legislation, digital banks can perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks. Digital banks are obliged to comply with the provisions of the DBR in addition to all the legislative provisions that credit institutions are obliged to comply with within the framework of the Banking Law and related legislation.
The DBR sets forth certain restrictions for the activities of digital banks. According to the DBR, customers of digital banks can only be financial consumers and small and medium enterprises (“SMEs”). In this respect, digital banks were prevented from carrying out commercial banking activities exceeding the SME size. The total of unsecured cash loans that digital banks can make available to a certain financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer’s average monthly net income cannot be determined, the total of unsecured cash loans that can be extended for such customer cannot exceed ten thousand Turkish Liras.
The DBR defines the BaaS as “a service model in which customers can perform banking transactions through the service bank by connecting directly with the systems of service banks via open banking services by the interface offered by the interface providers.” The service bank can only provide service model banking services to domestically resident interface providers and only within the framework of their own operating permits.
Regulation on the Use of Crypto-Assets in Payment
Regulation on the Use of Crypto Assets in Payments has been published on 16 April 2021 to be effective as of 30 April 2021 and became the first legal document specifically regulating crypto assets under Turkish Law.
Crypto asset is defined under Article 3 as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. As per Article 3, crypto assets may not be used directly or indirectly in payments. Article 4 prohibits payment service providers to develop business models or provide services regarding those business models where crypto assets are used in the provision of payments services and issuance of electronic money. Article 4 also prohibits payment and electronic money institutions to mediate platforms and fund transfers from the platforms offering trading custody, transfer, or issuance services for crypto assets.
Regulations Allowing IBAN Issuance by Payment Service Providers
Communiqué numbered 2021/5 (“Amendment Communiqué”), published in Official Gazette dated 5 August 2021, numbered 31559, amends Communiqué number 2008/6 on International Bank Account Numbers to allow payment service providers to issue international bank account numbers (“IBAN”).
Amendment Communiqué provides that (i) payment service provider codes for use in issuing IBAN will be determined by the Central Bank, and (ii) non-bank payment service providers can issue IBAN for customer accounts subject to money transfers but are obligated to do so only where applicable payment system rules established pursuant to Payment Law so require.
Regulation on Remote Identity Verification and Remote Contract Execution
The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment was published in the Official Gazette No. 31441, dated April 1, 2021. With the regulation, it became possible to perform identity verification proceedings by video calls online without the need for the customer representative and the customer to be physically present at the same environment. In addition, after identity verification was made remotely or through branches, it became possible to establish remote banking contracts
General Communiqué of Financial Crimes Investigation Board No. 19 on Remote Identity Verification
General Communiqué of Financial Crimes Investigation Board No. 19, effective as of 1 May 2021, on remote identity verification (“Communiqué 19”), was published in Official Gazette No. 31470 of 30 April 2021.
The Communiqué 19 allows, in accordance with extant applicable law, remote consumer identity verification to facilitate establishment of a commercial relationship. The method designed and utilized by the parties must minimize the risk of unauthorized publication of protected data. Notably, a signature sample need not be obtained in the process.
Crypto Asset Service Providers’ Obligations Regarding Anti Money Laundering and Terrorist Financing
The Regulation on Amendment of Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing, effective as of 1 May 2021 (“Crypto AML Regulation”), was published in Official Gazette numbered 31471 of even date.
The Crypto AML Regulation expands the definition of obligated entities under article 4 of the Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing (“AML Regulation”), – published in Official Gazette numbered 26751 of 9 January 2008 – with the following subparagraphs:
- (ü) crypto asset service providers,
- (v) savings financing companies.
Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliated entities are required to comply with the AML Regulation.
E-commerce is regulated under Turkish law especially regarding e-commerce platforms and electronic commercial messages. Law on Regulation of Electronic Commerce No. 6563 is the main legislative document that governs e-commerce along with the Law on Protection of Consumer No. 6502 (“Consumer Law”) for the B2C side. In accordance with the E- Commerce Law; with certain exceptions, commercial electronic messages can be sent to recipients by service providers, only with recipient’s prior consent. Service providers, wishing sending commercial electronic messages, must register with and transfer their consent records to the commercial electronic communication management system before carrying out any commercial communication. A draft has been brought to Turkish parliament for the amendment of Consumer Law. The proposed amendments, if passed, will bring certain aggravated obligations to the intermediary service providers and stricter regulations regarding remote contracts.
Recent Key Developments in E-Commerce
Competition Authority’s Preliminary Findings on E-Marketplace Sector
On 7 May 2021, the Turkish Competition Board made public certain preliminary findings (“Report“) from its e-marketplace sector inquiry, commenced 11 June 2020 (“Inquiry”), by publishing same on the Turkish Competition Authority’s (“TCA”) website.
The Inquiry was intended to, in the interest of general consumer and merchant protection, identify anti-competitive practices within the e-marketplace sector. In light of the Inquiry findings, the Report, inter alia, recommends implementing certain ameliorative measures. To that end, the Report contains the following recommendations:
- strengthen applicable secondary legislation,
- implement a code of conduct applicable to e-marketplace platforms in order to eliminate current imbalances in bargaining power between merchant and e-marketplace platform operator,
- promulgate standards for e-marketplace conduct of gatekeeper enterprises.
All internet contents including online media services are regulated under the Law no.5651 (aka Internet Law) by Information and Communication Technologies Authority (“ICTA”) The Internet Law regulates obligations of content providers, hosting providers, internet providers and social network providers.
As per the Internet Law;
- The content provider is responsible for any kind of content it makes available on the internet. Yet, hosting providers are not responsible for checking the hosted content or researching whether such content constitutes an unlawful activity.
- Access providers are required to block alternative access methods and provide information to the ICTA if requested;
- Social network providers are under the obligation to respond individual requests within forty-eight hours, complying with content removal and access prevention measures, and providing regular reports including statistical and categorical information containing the foregoing.
- The social network providers abroad that has more than 1 million daily access from Turkey are required to appoint local representatives. The local representatives are responsible from accepting notices, notifications, and requests from administrative and judicial authorities in Turkey, responding to individual applications and fulfilling other obligations under the Internet Law.
Recent Key Developments in Internet/Social Media
Bans Advertising on Twitter, Periscope, and Pinterest
Turkey has brought a set of amendments on the Internet Law and the amendment law was published in the Official Gazette on 31 July 2020. With the amendments, series of obligations were set forth for the local and foreign domiciled social network providers operating in Turkey including appointing a local representative.
ICTA banned advertising on Twitter, Periscope, and Pinterest for failure to appoint a local representative. The advertisement bans have been withdrawn later after appointment of such representatives.
Guidelines applicable to Social Media Influencer Advertising
To clarify the current state of the law on social media advertising governed by Consumer Law and the Regulation on Commercial Advertisement and Unfair Commercial Practices (“Advertising Regulation”), Turkey’s Advertisement Board published its Guideline on Commercial Advertisement and Unfair Commercial Practices of Social Media Influencers, effective 4 May 2021 (“Guideline”).
Social media posts by influencers deriving financial or other material benefit are commercial in nature under the Law and the Advertising Regulation; and with it such ads must fully comply. Accordingly, the Guideline, on top of certain other requirements, obliges social media influencer posts to be disclosed as commercial advertising.
Amendments to the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts
The Regulation Amending the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts (“Amendment Regulation”) was published in Official Gazette dated 10 April 2021 and numbered 31450. Amendment Regulation introduced certain amendments affecting the financial obligations of licensed broadcasters which are as follows:
- Broadcasters wishing to pay their licensing fees in installments were obliged to pay the first installment to the Radio and Television Supreme Council (“RTÜK”) up-front and in cash, and guaranty payment by providing to the RTÜK a guarantor letter(s) operative for a period of at least 10 years and amounting to 6 installments. The Amendment Regulation revised the amount as 9 installments and allowed broadcasters to obtain guarantor letters from more than one bank.
- A broadcaster wishing to renew its license must apply online to the RTÜK at least 2 months before expiration of its then current license.
- Guarantor letter covering a broadcaster’s internet broadcast transmission authorization fee must be in an amount equal to such fee and operative for a period of 1 year.
In Turkey; although there is no specific regulation regarding cloud computing, certain rules prescribed in several laws and secondary legislation concerning cloud computing apply in most cases. These rules are mainly concentrated on the notification requirement and data localization.
As stated above, hosting providers should notify ICTA before providing hosting services.
Hosting provider is defined under the Internet Law as “natural or legal persons who operate or provide systems which stores the services and contents”. As such, cloud providers are regarded as hosting providers with respect to the Internet Law.
As per the Internet Law, hosting providers are required to retain traffic data for 1 year and ensure the integrity, accuracy and privacy of this data. However, as per Electronic Communication Law No. 5809 (“ECL”), traffic data cannot be transferred abroad without the data subject’s explicit consent. This is an important challenge for cloud computing providers servers of which are located in foreign countries. The Personal Data Protection Board (“DP Board”) has previously concluded with the “Gmail Decision” numbered 2019/157 dated 31 May 2019 that in case of the usage of Gmail services provided by Google, mails are being held at the data centers all around the world, therefore, it constitutes transferring personal data abroad.
Recent Key Developments in Cloud Computing
DP Board’s Decision Regarding Cloud Use
In the DP Board’s decision numbered 2021/359 dated 13 April 2021, the data controller employer has been sanctioned for the use of cloud services to store employees’ personal data without obtaining first the employees’ explicit consent. The employee data was stored in a cloud database with servers abroad, which could only be accessed by relevant authorized persons. As the servers of the cloud database were abroad, the DP Board ruled that the data was transferred abroad.
BRSA’s Regulation Regarding Cloud Use in Banking
Regulation on Information Systems and Electronic Banking Services of Banks (“BRSA Regulation”) has entered into force which governs cloud computing usage of banks. The use of cloud systems is not prohibited under the BRSA Regulation. However, certain conditions should be fulfilled for the use of cloud systems. According to BRSA Regulation, the primary and secondary systems of the Institutions should be kept in Turkey. If cloud computing services are used, the information systems of cloud computing service providers and their back-ups are also regarded as primary and secondary systems of the Institutions. In such cases, these data, hardware and software and their back-ups should also be kept in Turkey. Moreover, in case cloud computing services are used for primary and secondary systems, the hardware and software used should be dedicated to a single institution. However, the use of community clouds is permitted for banks and financial institutions in certain conditions. In the presence of BRSA approval, community cloud can be used by the banks and financial institutions, on condition that the software and hardware are dedicated to BRSA regulated institutions and logical separation is provided for each company. In addition, for the financial institutions, in the presence of BRSA’s approval, financial institutions may use the same dedicated software and hardware on condition that logical separation is provided for each company.
Artificial Intelligence (“AI”)
AI is not specifically regulated under Turkish law; however, use of it may trigger certain control mechanism under various laws and regulations. For instance, use of AI for automatic decision making can be challenged by data subject if the use of it results in negative impact on the data subjects and they can request human intervention for decision making. Product liability and tort provisions of Turkish law also apply to damages incurred due to use of AI.
Recent Key Developments in AI
Artificial Intelligence Strategy
The Circular numbered 2021/18 on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021 and numbered 31574, and the National Artificial Intelligence Strategy Document (“Strategy”) on Digital Transformation Office of the Presidency’s website on 24 August 2021.
The high-level targets foreseen for 2025, which is the end of the implementation period of the Strategy, are as follows:
- The contribution of AI to GDP will be increased to 5%.
- Employment in the field of AI will be increased to 50,000 people.
- Employment in the field of AI in central and local government public institutions and organizations will be increased to 1,000 people.
- The number of graduate level graduates in the field of AI will be increased to 10,000.
- AI applications developed by the local ecosystem will be prioritized in public procurement and commercialization will be supported.
- An active contribution will be made to the regulatory studies and standardization processes of international organizations in the field of cross-border data sharing with reliable and responsible AI.
Telecommunication (telco) is a highly regulated sector under Turkish Law. The ECL, which is prepared based on Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 Establishing European Electronic Communications Code (“EECC”), is the main legislative document that governs the telecommunication sector. ICTA is the national regulatory agency for the supervision of the sector and execution of the ECL. The telco sector is regulated by licensing, authorization, notification and other control mechanisms regarding establishment, conduct and structure of the telco companies. Electronic communication services can only be provided by obtaining a license from ICTA. On the other hand, electronic communication services and/or networks or infrastructure established within the immovables of a real or legal person and not exceeding the borders of each immovable, used exclusively for personal or corporate needs, not used to provide any electronic communication service to third parties, not intended for any commercial purpose in its provision and not made available to the public and those established by public institutions and organizations in accordance with their special laws regarding the services they provide exclusively are not subject to authorization. Unlike EECC, the ECL does not contain a provision to expressly scope the communication medium between individuals which are provided for a price.
Recent Key Developments in Telco
Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector
Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector (“RIR”) introduced in the Official Gazette dated 26 June 2021 and numbered 31523.
According to the RIR, only following channels can be used for identification verification:
- e-Government gateway,
- Visual verification by artificial intelligence or authorized person, together with the document with near field communication feature in accordance with the ICAO 9303 standard,
- Creating PAdES with Republic of Turkey ID Card,
- Taking video footage to be specific to the process with the applicant’s identity document in face-to-face channels.
The Regulation allows artificial intelligence to make the comparison of the face in the live image and the photograph in the identity document.
Regulation on Protection of Personal Data in Electronic Communication Sector
ICTA’s long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“DPR”) has been published on the Official Gazette number 31324 dated 4 December 2020.
In the DPR, contrary to its predecessor, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained.
The DPR obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in the DPR, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years.
In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted.
Increase in Direct Carrier Billing Usage
Direct Carrier Billing (“DCB”) has been used in Turkish market already widely for especially payment of electric, gas and water subscription bills. The pandemic, however, emerged the need for alternative payment methods to the card and cash. DCB use in Turkey during the Covid-19 pandemic has increased
PERSONAL DATA PROTECTION
Privacy and protection of personal data is primarily regulated by the Law on Protection of Personal Data No. 6698 (“DP Law”). The DP Law set forth certain obligations of data controllers including comply with general principles of data processing, base data processing activities on a valid and legal ground, inform data subjects as to determined aspects of the data processing, respond to data subjects for their applications with regards to their rights under the DP Law, comply with prohibitions of domestic/cross border transfer, comply with erasure, destruction, and anonymization of personal data requirements, take adequate security measures for the protection of personal data, notify data breaches and register with data controllers registry.
Recent Key Developments in Personal Data Protection Law
The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Certification Communique”) was published. With the Certification Communique, in accordance with the standard numbered EN ISO/IEC 17024 (ISO17024), the procedures and principles have been determined regarding the certification of persons with regards to DP Officer Program.
According to the Certification Communique, those who acquired a certificate by participation in the program, principles and procedures of which is determined by the Authority and has been successful in the respective exam will be entitled to use the title of “data protection officer”. Organizations accredited by the Turkish Accreditation Agency within the scope of ISO17024 standard will be authorized to certify those who are successful in the relevant exams related to certification.
In accordance with the Certification Communique, a data protection officer is assumed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program for which they are certified. It is also regulated that the data protection officer can only use this title during the validity period of their certificates.
Finally, it is emphasized in the Certification Communique that employing a data protection officer will not remove the responsibility of the data controller and data processor to comply with the DP Law.
Personal Data Categories in Privacy Notices
Regarding the obligation to inform, the most important decisions in 2021 were the DP Board’s decisions regarding the need to include the personal data categories processed in the privacy notice. In Article 4 of the Communique on Principles and Procedures to be Followed In Fulfillment Of The Obligation To Inform, the information required to be included in the privacy notice is determined as the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data can be transferred. In the Board’s decision dated 8 October 2020 and numbered 2020/765, however, stated that the categories of personal data processed in the privacy notice should also be included.