Secondary Legislation on Payment Services Re-Envisioned

Recent Development

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“ Regulation “) abrogating the Regulation on Payment Services and Electronic Money Issuance, Payment Institutions and Electronic Money Institutions (“ Former Regulation ”) and Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Services Providers (“ Communiqué “) abrogating the Communiqué on the Management and Supervision of IT systems of Payment Institutions and Electronic Money Institutions (“ Former Communiqué “) issued by the Central Bank of the Republic of Turkey (“ CBRT ”) were published in the Official Gazette No. 31676 and dated December 1, 2021 and entered into force on the same date.

What Does the Regulation Cover?

The Regulation foresees the following important changes.

Payment Services and E-Money

• The Regulation stipulates that only intangible assets that are issued in exchange for a one-to-one fiat currency ( itibari para ), created virtually and distributed over digital networks will be accepted as e-money, provided that these intangible assets:

(a) are issued only in exchange for funds accepted by the issuing payment institution / e- money institution (“ Institution “);
(b) stored electronically;
(c) used in order to make payments defined by the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and E-Money Institutions (” Law ”); and
(d) are accepted as a means of payment by natural and legal persons other than the issuing Institution.

In this regard, bitcoin and similar crypto assets based on assets other than fiat money will continue to be not considered e-money.

• The Regulation is the first to regulate the concept of an anonymous pre-paid instrument in Turkish payment systems laws. The Regulation defines an anonymous pre-paid instrument as “ a pre-paid instrument that is not connected to the payment account in any way and has not been identified or verified; becomes usable by pre-payment or pre-loading; can be issued as re-loadable or non-reloadable; and that is allowed to be used up to the loaded balance amount. ” In this context, anonymous meal cards provided to employees to be used in markets and restaurants and anonymous public transportation cards can be considered anonymous pre-paid instruments.

In accordance with the Regulation, anonymous pre-paid instruments can only be used for the following transactions:

(a) Payment transactions where the anonymous pre-paid instrument holder is physically at the workplace and the anonymous pre-paid instrument is physically used.
(b) Payment transactions and invoice payment transactions regarding the purchase of goods or services to be made by service providers and intermediary service providers that are certified with a trust stamp ( güven damgası ) and whose qualifications are stipulated in the Regulation.

• With the entry into force of the Regulation, payment service providers will be obliged to offer other payment service providers who request to use the payment account services they offer and related infrastructure services, its services under similar conditions as its other commercial customers, business partners or other payment service providers with which it transacts without prejudice to the obligations arising from the legislation and security, operational and technical requirements.

• Applications for operation permits are now a two-stage procedure consisting of an informative investigation stage and final stage. In this context, the Regulation expands the set of required application documents, and the application process becomes subject to more stringent procedural requirements.

• The Regulation stipulates a foreign exchange trade ban with regards to payment transactions where both parties are resident in Turkey and use payment service providers located in Turkey. Exceptionally, in cases where one of the parties is located abroad, Institutions will be able to buy and sell foreign exchange, provided that the trade is only for the provision of the payment service and it meets the conditions specified in the Regulation.

• The Regulation expands the scope of the loan ban set forth in the Former Regulation. Accordingly, the Institutions will not be entitled to grant loans to their clients and engaging in advertising and marketing activities in a way that creates the impression that the Institutions grant loans falls within the scope of this prohibition.

• Contrary to the Former Regulation, if the CBRT detects a situation contrary to the legislation or decides that it threatens the uninterrupted and unproblematic continuation of the operations of the Institution, it is now authorized to request that the relevant Institution close its foreign branch and not operate in certain countries. The CBRT is also authorized to request the relevant Institution to cease its operations through its branch or branches in the event that the CBRT determines that the Institution’s use of branches poses a risk in terms of the smooth running of the Institution’s activities, or if the Institution is having problems in managing the branches.

• One of the most material changes is the ability of the Institutions to cooperate with international peers. The Institutions will be able to cooperate in line with their purpose or activities with legal entities residing abroad that have obtained approval from the CBRT in accordance with the Regulation. This foreign legal entity must be authorized by the relevant authorities of the country where it is headquartered to provide payment services or to issue e-money.

This cooperation is only limited to payment services of the Institution within the scope of the Law to its customers, together with a legal person residing abroad and payment services where at least one of the senders or recipients is abroad.

Even if cooperation is allowed, the legal entity residing abroad must not be the public face of the service. In this context, it is forbidden that the legal person’s own brand and logos are used in a way that creates the impression that it obtained an operation permit or for this legal person to set up a website targeting domestic customers in Turkey.

The Regulation also authorizes the CBRT to request the termination and limitation of cooperation, and to impose additional equity and collateral obligations on the Institution.

• Unless otherwise stipulated in the Regulation, providing payment services and issuing e-money cannot be outsourced.

Activities that can be outsourced are limited to the following:

1. Activities other than the payment service provision and issuance of e-money.
2. Information systems, marketing, advertising, corporate resource management, accounting, call center, follow-up activities of the organization’s administrative affairs related to payment service provision and e-money issuance activities.

Data Protection Within the Scope of the Regulation

• The Regulation defines sensitive customer data differently from the definition under the Former Regulation. Accordingly, the Regulation states sensitive customer data is personal data and customer security information is information used in issuing payment orders or verifying the identity of the customer, and which, if captured or changed by third parties, may allow fraud or fraudulent transactions on behalf of the customer.

Institutions, payment order initiation service providers and account information service providers are responsible for ensuring the security of sensitive customer data.

Further, various obligations are set forth regarding sensitive customer data. In this context, payment order initiation service providers are unable to store the sensitive customer data of customers, and similarly, account information service providers are unable to request sensitive customer data. However, provided that necessary security measures are taken and the customer gives explicit consent, the name of the payment account holder, the payment account number, the payment instrument number and other matters decided to be evaluated within this scope by the bank will not be considered as sensitive customer data within the scope of said provisions.

• As per the Regulation, the Law No. 6698 on Protection of Personal Data (“LPPD”) is primarily applicable to the processing of personal data. Accordingly, the following obligations regarding data protection have been introduced:

1. The payment service provider will be able to access the data related to the payment service operations by providing the necessary information. However, to access data that is not directly related to the payment service, it will need the approval of the customer. If such data includes personal data, the explicit consent of the customer will also need to be obtained in accordance with the LPPD.
2. In the event that sensitive customer data regarding payment instruments issued by payment service providers are kept at or under the responsibility of domestic establishments, the payment service providers will be obliged to keep and store this data in the country.
3. In accordance with the limitations set forth in the Regulation, the data obtained within the scope of the services of payment service providers cannot be shared with or transferred to third parties in or outside of Turkey without a request or instruction from the customer.

What Does the Communiqué Cover?

The Communiqué regulates the management of information systems and data sharing services used by Institutions.

• Pursuant to the Communiqué, Institutions are responsible for ensuring the security of their information systems, and the board of directors will be responsible for the management of these systems. In this context, it is necessary Institutions to establish an information security management system and to implement additional measures for systems containing sensitive customer data. In line with these measures, if there are sensitive customer data and personal data leaks, Institutions must inform both the customers and the Personal Data Protection Authority.

• Sensitive customer data may only be disclosed to parties other than the authorities authorized by law if the customer is informed about the limits of the disclosure and the customer’s explicit consent is obtained. Unlike the Former Communiqué, it is stipulated that the customer’s relevant explicit consent will be obtained in accordance with the LPPD.

• Pursuant to the Regulation and Communiqué, data sharing services, which are an electronic channel, will be used by the parties acting on behalf of the customer.

Conclusion

The Regulation and the Communiqué bring important changes and innovations to the payment systems legislation. In this context, hot topics such as the establishment of contracts with remote communication tools and crypto assets were incorporated into the payment systems legislation and the partnerships of international payment services providers with Turkish peers now has a legal basis that is clarified. The changes made to the framework of the payment systems legislation still require market actors’ scrutiny.