Ekin İnal and Ecem Naz Boyacıoğlu
Reproduced from Practical Law with the permission of the publishers. For further information, visit www.practicallaw.com.
Overview of financial services sector
1. What are the types of entities that form the financial services sector in your jurisdiction?
The Banking Law No. 5411, which entered into force on 1 November 2005 (Banking Law), provides the legal framework regarding banking activities to ensure the reliability and stability of financial markets and to promote the effective functioning of loan markets. The following entities can be established under the Banking Law:
- Deposit banks (mevduat bankaları):These banks can accept deposits, advance loans and conduct other banking activities as permitted under the Banking Law
- Participation banks (katılım bankaları):These banks can accept funds by using special current accounts or participation accounts, advance loans and conduct other banking activities as permitted under the Banking Law. Activities of these banks are based on interest-free banking principles in line with globally accepted Islamic finance principles
- Development and investment banks (kalkınma ve yatırım bankaları):These banks can advance loans and perform the objectives provided by special relevant laws, except for accepting deposits or funds
These categories also include Turkish branches of foreign banking institutions conducting equivalent banking services in their home countries.
Financial holding companies (finansal holding şirketleri) are companies whose subsidiaries are banks and/or other financial institutions, and of which at least one is a deposit or participation bank.
The Law on Financial Leasing, Factoring, and Financing Companies No. 6361, which entered into force on 13 December 2012 (Financial Leasing Law), provides the legal framework regarding the establishment and activities of financial leasing, factoring, and financing companies. The following entities can be established under the Financial Leasing Law:
- Financial leasing companies (finansal kiralama şirketleri) provide financing by leasing certain assets based on a financial leasing agreement, subject to certain statutory requirements
- Factoring companies (faktoring şirketleri) take transfer of accounts receivable that arise from the sale of goods or services and documented through an invoice, and provide debt collection, book-keeping, financing and/or guarantee services
- Financing companies (finansman şirketleri) are entities that finance the purchase of goods and services by purchasing such goods and services in the name and on behalf of the buyer and making the payment directly to the seller
The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Companies No. 6493, which entered into force on 27 June 2013 (Law on Payment Systems), provides the legal framework regarding payment and securities settlement systems, payment services and relevant entities, and electronic money companies. The following entities can be established under the Law on Payment Systems:
- Payment companies (ödeme kuruluşları) are entities that are authorised to provide payment services
- Electronic money companies (elektronik para kuruluşları) are entities that are authorised to issue electronic money (or e-money). E-money is defined as a monetary value, issued in exchange for funds by an e-money company, stored electronically and accepted as a payment tool by persons other than the issuer
The Insurance Law No. 5684 (Insurance Law), which entered into force on 14 June 2007, provides the legal framework for the insurance sector, ensuring its reliability and stability. The following entities can be established under the Insurance Law:
- Insurance companies (sigorta şirketleri) are entities that are established to issue insurance policies and render related services
- Reinsurance companies (reasürans şirketleri) are entities that are established to provide reinsurance services
The Insurance Law also regulates insurance agencies and brokers. Insurance agencies (sigorta acenteleri) execute insurance policies for and on behalf of insurance companies, assist with the preparatory works and implementation of insurance contracts and claims payments in a defined geographical area. Insurance brokers (sigorta brokerleri) assist the insured in the selection of the appropriate insurance and reinsurance company and preparatory works of the contract, and if required, in the implementation of contract and claims payments.
The Capital Markets Law No. 6362 (Capital Markets Law), which entered into force on 30 December 2012, provides the principles regarding capital market activities and instruments, public companies, listed companies, investment companies and other capital markets entities, stock exchanges and other organised markets. The following entities can be established under the Capital Markets Law:
- Intermediary entities (aracı kurumlar) are entities that are authorised by the Capital Markets Board of Turkey (CMB) to exclusively provide investment services and activities as set out under the Capital Markets Law
- Collective investment entities (kolektif yatırım kuruluşları) consist of investment partnerships (yatırım ortaklıkları) and investment funds (yatırım fonları):
- Investment partnerships are established to manage portfolios consisting of capital market instruments, real estate, venture capital investments, and other assets as determined by the CMB. Investment partnerships are organised as joint stock companies with fixed or floating capital and offer shares to public
- Investment funds are portfolios of assets, consisting of cash and other forms of assets, collected from persons in return of fund participation units, and managed by a portfolio management company. Investment funds are based on the principles of fiduciary ownership and contractual relationship between the holders of participation units and the portfolio management company. Investment funds do not have legal personality for the purposes of Turkish law other than in respect of real estate transactions that require registration of the fund with title deed registries
- Investment entities (yatırım kuruluşları) for the purposes of the Capital Markets Law consists of intermediary entities, capital markets entities and banks that are authorised to provide investment services and activities
Other types of entities provided by the Capital Markets Law include authorised audit companies, appraisal firms, credit rating agencies, portfolio management companies, mortgage finance companies, housing and asset financing funds, asset lease companies (established for issuance of lease certificates/sukuk bonds), central clearing institutions, central depository institutions, crowdfunding platforms and trade repositories.
2. What are the key regulatory authorities that are responsible for the financial services sector?
Banking Regulation and Supervision Agency
The Banking Regulation and Supervision Agency (Bankacılık Düzenleme ve Denetleme Kurumu) (BRSA) was established in 2000 as an independent and central supervisory authority to supervise the establishment, management and activities of banks and other financial institutions, including:
- Foreign banks' branches in Turkey
- Financial holding companies
- Financial leasing, factoring and consumer finance companies
BRSA is vested with the authority and responsibility to protect the rights of depositors and ensures reliability and stability in financial markets and promotes the effective functioning of the loan markets. The main responsibilities and powers of the BRSA include:
- Regulating incorporation, management, organisation, share transfer and other transactions of banks, financial holding companies, financial leasing and factoring companies; ensuring compliance with banking legislation; issuance of resolutions relating to the banking and financial services activities
- Reducing transaction and intermediation costs for more competitive banking operations, maximising market integration, increasing transparency in financial markets
- Inspecting the risk structures, internal controls, risk management, internal audit systems, receivables, shareholder equities, payables, profit and loss accounts, and liability balances of relevant financial institutions; ensuring compliance with the principles of corporate governance in banks and other financial sector participants
- Evaluating the annual financial reports of banks and other financial sector participants that are issued by independent audit institutions
Capital Markets Board of Turkey
The Capital Markets Board of Turkey (Sermaye Piyasası Kurulu) (CMB) is the regulatory authority responsible for ensuring reliability and stability in Turkey's securities market. Established in 1981, and currently operating under the Capital Markets Law, its objectives are to provide for fair and orderly functioning of the capital markets and the protection of rights of the investors.
The main strategic objectives of the CMB are to:
- Enhance investor protection
- Fully integrate the norms of the international capital markets into Turkish capital markets legislation
- Promote and enhance the effectiveness of both the supply and demand side of the capital markets
- Promote transparency and fairness in the capital markets
- Facilitate modernisation of the capital markets infrastructure
Central Bank of the Republic of Turkey
The Central Bank of the Republic of Turkey (Türkiye Cumhuriyeti Merkez Bankası) (Central Bank) is an independent entity, primarily responsible for the administration of the monetary and exchange rate policies of the Turkish economy. Established in 1931, the Central Bank also regulates banks in relation to their foreign currency operations, reserve requirements and capital adequacy rules.
The main strategic objectives of the Central Bank are to:
- Achieve and maintain price stability and financial stability
- Determine and provide stability to the exchange rate regime with the government
- Print and issue banknotes
- Establish fast and secure transfer and settlement systems. The Central Bank operates Electronic Funds Transfer (EFT) and Electronic Securities Transfer systems
As of 1 January 2020, the Central Bank has been authorised to oversee payment companies and electronic money companies, instead of the BRSA. An amendment dated 22 November 2019 (Amendment Law) introduced important changes to the Law on Payment Systems, making the Central Bank the primary regulator of the payment systems sector, increasing the scope of the Central Bank's existing supervisory powers under the applicable legislation and paving the way for open banking (see Question 6).
Ministry of Treasury and Finance of the Republic of Turkey
The main strategic objectives of the Ministry of Treasury and Finance are to:
- Manage public financial assets and liabilities
- Regulate, implement and supervise economic, financial and sectoral policies, including foreign exchange regime
- Provide co-ordination of international economic relations in a transparent, accountable and efficient way
- Set out principles and rules regarding money laundering
The Ministry of Treasury and Finance's duties in respect of the insurance sector have been recently transferred to the Insurance and Private Pension Regulation and Supervision Agency (Sigortacılık ve Özel Emeklilik Düzenleme ve Denetleme Kurumu) (Agency) under Presidential Decree No. 48, which entered into force on 18 October 2019. The Agency will be officially established once it convenes its first board meeting following the appointment of the chairman and members of the board, and its main strategic objectives are:
- Regulating, implementing and supervising insurance and private pension legislation
- Taking the necessary steps and precautions to improve Turkish insurance and private pension practice and to protect the insureds and participants
- Licensing insurance and reinsurance companies and branches of foreign insurance or reinsurance companies, ensuring compliance with the insurance and private pension legislation
Istanbul Stock Exchange (Borsa Istanbul) (BIST)
BIST, the sole stock exchange in Turkey, combines in a single institution the Istanbul Stock Exchange, Istanbul Gold Exchange and the Turkish Derivatives Exchange (all of which existed previously). There are currently four main markets on BIST:
- Equities market
- Debt securities market
- Derivatives market
- Precious metals and diamonds market
The main markets consist of several sub-markets, for example, the BIST Star and BIST Main sub-markets under the Equity Market. Companies deemed eligible to form the Borsa Istanbul National 100 index and companies that have quoted shares with a market value of TRY150 million or more constitute the BIST Star sub-market with the rest of the listed companies forming the BIST Main sub-market.
Financial instruments currently traded on BIST markets include equities, exchange traded funds, government bonds and bills, corporate bonds and bills, covered bonds, money market instruments (repo/reverse repo), asset backed securities, futures and options, real estate certificates and lease certificates. Lease certificates modelled on sukuk bonds may be issued based on revenues to be generated from an ownership, management, sale and purchase, partnership or service contract.
For each segment of the financial industry, there are also self-regulating organisations, including:
- The Banks Association of Turkey
- The Participation Banks Association of Turkey
- The Association of Financial Institutions
- The Turkish Capital Markets Association
- The Insurance Association of Turkey
- The Payment and Electronic Money Institutions Association of Turkey (introduced by the Amendment Law, the relevant provision of which will enter into force on 22 May 2020)
Overview of FinTech sector
3. What areas of the financial services sector has FinTech significantly influenced so far?
The promulgation of the Law on Payment Systems in 2013 is an important step in the development of the FinTech sector in Turkey (see Question 6). As a result, FinTech has been a key innovator for payment systems and money collection and transfer (including pre-paid cards, digital wallets, invoice and accounting, budget management, offline payments, money transfers, loyalty cards, bill collection, cash collection, cash registers and point-of-sale devices and credit scoring).
4. How do traditional financial services entities engage with FinTech?
The traditional financial services sector in Turkey is led by banks, which have rapidly responded and adapted to FinTech due to:
- Their market size
- Efficient use of technology
- The large product range they offer to customers
Turkish banks offer advanced retail banking products, ahead of many of their international competitors, including loan applications submitted through text messages, cash withdrawals using a QR code, mobile contactless payments, artificial intelligence-based financial assistants, and opening bank accounts through video conference. Certain products offered by Turkish banks also involve co-operation with FinTech entities, such as mobile internet banking applications, and even with public authorities, such as the General Directorate of Land Registry and Cadastre for electronically establishing a mortgage.
Securities and insurance sectors have also been influenced by FinTech to a lesser extent (see Question 7 and Question 8).
Regulatory environment
Alternative finance
5. How is the use of FinTech in alternative finance activities regulated?
There is no specific legislation regarding the use and application of FinTech on marketplace lending activities (including B2B, B2C, C2C, peer-to-peer lending and so on). Lending activities are highly regulated in Turkey on a national level by the BRSA.
Only BRSA-authorised entities can legally conduct lending activities under the Banking Law or the Financial Leasing Law. Unauthorised money lending and earning interest from such funds is a crime, defined as usury (tefecilik), which is punishable by two to five years imprisonment and punitive fines of up to TRY500,000 (Criminal Code No. 5237).
Accordingly, no B2B, B2C, C2C, or peer-to-peer lending platforms are currently active in Turkey and no such activity may be conducted under the current legislation.
However, crowdfunding activities and platforms are permitted and regulated on a national level by the CMB. Under a set of amendments to the Capital Markets Law made on 5 December 2017, crowdfunded project entities are defined, and carved out of the legal definition of "public entity" (i.e. joint stock companies with more than 500 shareholders, which are deemed to be public even if their shares are not traded on Borsa Istanbul). As public companies have a number of disclosure and corporate governance requirements that may be burdensome on a crowdfunded project entity, such carve out provides for a regulatory environment that supports the establishment and development of crowdfunded entities.
Additionally, crowdfunded project entities are carved out of the definition of "issuer" and are not required to issue a prospectus or offering circular to launch crowdfunding campaigns. They are also exempt from extensive book keeping and disclosure requirements that are applicable to public entities and issuers, which also helps develop and support the crowdfunding industry.
Under secondary legislation on equity-based crowdfunding adopted on 3 October 2019, technology or production start-up companies can apply to crowdfunding platforms to raise capital in return for equity. Such platforms are regulated on a national level by the CMB (for example, crowdfunding platforms require the approval and whitelisting of the CMB to commence operations, and their corporate structure, corporate governance and activities are supervised by the CMB).
Payment platforms
6. How is the use of FinTech in payments-related activities regulated?
FinTech is widely used in payment-related activities in Turkey; for example, internet and mobile banking systems are well-established with a high market penetration rate. These services allow customers to conduct banking transactions, including national and international money transfers (subject to certain limitations regarding processing orders outside of usual banking hours). General regulations applicable to financial services infrastructure are also applicable for money transfer transactions. For further information on other regulations applicable to the use of FinTech, see Question 10.
Payment systems are regulated on a national level under the Law on Payment Systems.
Under the Law on Payment Systems, the following payment services can be conducted by payment entities (ödeme kuruluşları):
- All transactions regarding management of a payment account, including crediting and debiting of amounts to that account
- Money transfers, including direct debiting from the account and regular payment made with a payment card
- Issuance and acceptance of a payment instrument
- Transfer of money
- Making of payments via an electronic communication device
- Intermediary services for payment of invoices
Under an amendment dated 22 November 2019 to the Law on Payment Systems, the scope of payment services was expanded to include, as of 1 January 2020, open banking solutions as follows:
- Upon the request of the payment services user, the initiation of a payment order with regard to a payment account available at another payment service provider (payment initiation services)
- Upon the permission of the payment services user, the provision of online platforms containing consolidated information regarding the user's payment account(s) held at payment service providers (account information services)
Although some banks have already started offering open banking products to its customers, it is important that open banking is now explicitly provided for in the legislation. We expect that this regulatory framework will help expand and develop open banking solutions. With the use of open banking, customers will be able to better manage their financial information and multiple bank accounts, and negotiate tailormade financial products and solutions using this data. Open banking will help more FinTech entities, which usually have limited resources compared to banks, to develop innovative products using banks' application programming interfaces (APIs).
In addition, the Central Bank may decide that other payment services and transactions reaching a certain threshold with regard to their overall size and impact area will qualify as payment services.
Payment entities can commence operations upon obtaining a licence granted by the Central Bank (which was previously granted by the BRSA).
The following entities can conduct payment service activities:
- Banks operating under the Banking Law
- E-money entities
- Payment entities operating under the Law on Payment Systems
- National postal service (Posta ve Telgraf Teşkilatı A.Ş.)
Under the Law on Payment Systems, the following payment services can be conducted by e-money entities (elektronik para kuruluşları) once they have obtained an operation licence from the BRSA (or the Central Bank, as of 1 January 2020):
- Issuance of e-money, in return of the funds collected. The funds must be kept in a deposit account of a bank established under the Banking Law and the funds must not be connected with lending activities or pay interest
- Facilitating payments with such electronic money issued
The prerequisites for obtaining an operation licence for conducting payment service activities and/or e-money entities include:
- Establishment of a joint stock company with a minimum paid-in capital (ranging from TRY1 million to TRY2 million for payment entities and TRY5 million for e-money entities)
- Employing sufficient number of qualified persons
- Owning required technical infrastructure
- Ensuring adequate risk management
- Information security and business continuity
- Forming an open and transparent organisational structure
Persons who hold more than 10% of the total share capital (or controlling interest) must have the qualifications set out under the Banking Law for founders of banks. For example, they must not have been declared bankrupt, been found guilty of certain criminal acts or held qualified shares in, or exercised control over, a financial institution whose activity permit has been cancelled.
According to the Central Bank's official website, there are currently 34 payment entities and 18 e-money entities. Note that payment or electronic money entities to be established after 1 January 2020 will be licensed by the Central Bank under the Law on Payment Systems as amended on 22 November 2019.
In addition to the payment methods set out above, conventional point-of-sale (POS) devices are also widely used and regulated on a national level in Turkey. According to a series of communiqués issued by the Revenue Administration of Turkey (Gelir İdaresi Başkanlığı), including Communiqué No. 426 on Tax Procedure Law, use of "new generation cash registers" are mandatory for all vendors. These devices serve as both POS devices and cash registers for the purposes of tax-related record keeping and can support contactless payments.
Under Communiqué No. 509 on Tax Procedure Law dated 19 October 2019, the Revenue Administration of Turkey (Gelir İdaresi Başkanlığı) has obliged certain taxpayers to electronically issue documents required under the Tax Procedure Law No. 213. Such documents include invoices (fatura), self-employment invoices (serbest meslek makbuzu) and delivery notes (sevk irsaliyesi). This transformation aims to improve sustainability by decreasing the use of paper in tax matters and preventing the black economy.
The Turkish Government has also announced a common payment platform (Türkiye Ortak Ödeme Platformu), composed of six Turkish companies operating in the banking, payments/e-money, telecommunication and transportation sectors. The platform aims to ease daily money payment transactions, including shopping and transportation and will also allow unbanked users to effect money transfers.
Investment/asset management
7. How is the use of FinTech in the securities market regulated, if at all?
The CMB's Communiqué No. III-37.1 on Investment Services and Activities and Ancillary Services permits investment companies to accept orders electronically in trading transactions. Investment companies must still sign framework agreements with their customers, open accounts in their name and acquire registration numbers from the Central Securities Depository. Leveraged transactions (sale and purchase through leverage of foreign exchange, precious metals and other assets designated by the CMB) are conducted on electronic platforms.
Another noteworthy development is the Istanbul Stock Exchange's (BIST) execution of a strategic partnership agreement with NASDAQ OMX Group on 20 January 2014, which introduced a substantial renovation on BIST's market applications and technological infrastructure.
For information on crowdfunding and blockchain, see Question 5 and Question 9.
InsurTech
8. How is the use of FinTech in the insurance sector regulated?
Currently, the insurance and reinsurance industry has not engaged with FinTech companies as much as other financial institutions in Turkey.
Insurance activities are regulated on a national level by the Ministry of Treasury and Finance. All insurance and reinsurance companies must obtain an operating licence from the Ministry of Treasury and Finance to operate in Turkey. Additionally, certain transactions of insurance companies are subject to the Ministry of Treasury and Finance's approval, such as share transfers. Once established, the Insurance and Private Pension Regulation and Supervision Agency (Sigortacılık ve Özel Emeklilik Düzenleme ve Denetleme Kurumu (see Question 2)) will assume responsibility for the insurance industry.
The Insurance Association of Turkey (Türkiye Sigorta, Reasürans ve Emeklilik Şirketleri Birliği) is a non-governmental institution established by law. All local and foreign insurance, reinsurance and pension companies operating in Turkey must be a member of this association. The main objectives of the Insurance Association of Turkey are to:
- Promote the insurance and reinsurance and private pension sectors in general
- Conduct research on insurance and private pensions in line with national and international developments
- Provide recommendations to relevant public authorities
- Take action against unfair competition practices among members
- Provide training and other educational activities to promote the insurance sector
The insurance sector has engaged to some extent with FinTech, for example, adopting mobile applications helping customers compare insurance products, manage policies and providing certain data. Noteworthy FinTech solutions in the insurance sector have been introduced by the Insurance Information and Monitoring Center (Sigorta Bilgi ve Gözetim Merkezi) established within the Insurance Association of Turkey. This centre has introduced some innovative products, including:
- "SBMobil" application: This allows users to access information related to their insurance policies by entering their profile and insurance information on their smart phones
- "Mobile Accident Report" application: This allows users to fill in obligatory accident reports after a traffic accident much faster and conveniently than filling in the hardcopy accident report
Sector representatives expect that blockchain based solutions in the insurance sector will boost Insurtech in Turkey.
Blockchain-based solutions
9. How is the use of blockchain in the financial services sector regulated?
Blockchain-related activities and cryptocurrency-related transactions are currently not regulated under Turkish law. Consequently, blockchain-related activities and cryptocurrency-related activities are not defined under any primary or secondary legislation (including, initial coin offerings (ICOs) and cryptocurrency payment processing services).
The first official statement by a Turkish authority on cryptocurrencies was a statement published by the BRSA on 25 November 2013. In its statement, BRSA clarified that "Bitcoin" and other cryptocurrencies were not e-money as defined under the Law on Payment Systems and therefore, were not regulated and audited by BRSA. In this statement, the BRSA "reminded the public of the possible risks inherent to the virtual currencies" as "the pricing of such virtual currencies may be highly volatile, digital wallets may be stolen or lost; and as a result of the irrevocable nature of transactions, exposed to risks from operational errors and fraudulent sellers".
In recent years, statements from ministers and representatives of regulatory authorities emphasised the potential of blockchain technology and cryptocurrencies in relation to financial infrastructure, while at the same time cautioning investors regarding the volatile nature of pricing of cryptocurrencies.
On 11 January 2018, the Financial Stability Committee (Finansal İstikrar Komitesi), comprised of the Deputy Prime Minister in charge of the Undersecretariat of Treasury and heads of the Central Bank, BRSA, CMB and Saving Deposits Insurance Fund, issued a press statement reiterating the concerns regarding cryptocurrencies as stated by the BRSA on 25 November 2013. The press release of the Financial Stability Committee further emphasised that ICO related activities are not regulated or audited and therefore at risk for fraud. In an announcement dated 27 September 2018, the CMB stated that ICOs are high-risk and speculative investments and warned investors of their risks, including the unregulated nature of such activities, high volatility and possibility of misleading or inaccurate information in the issuance documents.
That said, there has recently been a more positive approach to the use of blockchain in the financial sector:
- As announced in the 2019-2023 Development Plan of the Republic of Turkey Presidency in July 2019, blockchain-based digital central bank money (blokzincir tabanlı dijital merkez bankası parası) is intended to be introduced
- Istanbul Clearing, Settlement and Custody Bank (Takasbank) has developed a new blockchain-based transfer infrastructure platform: BiGa (abbreviated from "bir gram altın", which stands for "one gram of gold" in Turkish). BiGa is currently being integrated to Takasbank's gold transfer system, but it can also be used for transfer of any digitalised asset other than gold, as it is designed as a transfer infrastructure platform
- Cryptocurrency exchanges and Bitcoin ATMs are also available in Turkey
Financial services infrastructure
10. What types of financial services infrastructure-related activities of FinTech entities are regulated?
Other than the legislation providing for the payment entities and e-money entities, no specific regulation has been issued addressing FinTech in Turkey. However, the regulators have issued rules on the use of technology and measures to be taken by the institutions to ensure the security and efficiency of the financial services infrastructure.
BRSA requires banks to take all necessary measures to calculate, monitor, check and report risks that might arise from the banks' use of information technologies (IT). Within this general framework, the BRSA provides for additional obligations for internet banking and ATM machines due to specific risks they pose to the banks and customers (such as cybersecurity issues, risk of theft, attack, identity authentication issues and so on). Accordingly, for financial services provided through internet banking, banks must:
- Regularly monitor their security control processes
- Implement appropriate and safe identity authentication mechanisms
- Ensure that transactions are "undeniable" by both the party initiating the transaction and the party completing it
- Regularly inform their customers of internet banking policies and procedures
- Ensure continuity of the services and implement recovery plans in case of service disruption
For banking services provided through ATM machines, banks must take all measures against theft, fraud, physical attacks that may target ATM customers and raise awareness for the secure use of ATMs.
As a general obligation, banks must take necessary measures to maintain the confidentiality of transactions (and the data stored, processed, transferred thereby) effected through IT systems. Banks regularly inform their customers of the general use and risks of digital banking, as well as security measures taken by the bank. Banks must also implement mechanism to monitor customer complaints.
Central Bank also imposes similar obligations on payment entities and e-money entities. These entities must prepare a risk management policy and detect, analyse, monitor, control and report all risks arising from the use of information technologies. They must take all necessary measures to ensure data confidentiality and security and implement mechanisms for identity authentication.
In its Communiqué numbered VII-128.9 on Management of Information Systems which entered into force on 5 January 2018, the CMB provided for rules governing management, security, sustainability and efficient operation of information systems of various capital markets institutions, including:
- Borsa Istanbul
- Pension funds
- Istanbul Clearing, Settlement and Custody Bank (Takasbank)
- Central Securities Depository (Merkezi Kayıt Kuruluşu)
- Capital markets institutions
- Public companies
Management of information systems is deemed to be a part of corporate governance practices.
Similar to the Central Bank regulations with regard to payment and e-money entities, the CMB requires the obligated entities to:
- Adopt an information security policy
- Implement risk management procedures and processes
- Conduct information system controls
- Ensure network security, data confidentiality and secrecy of customer data
- Take necessary steps for identity authentication
The CMB provides for a two-tier information system, consisting of primary systems and secondary systems. Primary systems include all infrastructure, hardware, software and data allowing a safe and immediate access to all information required for the obligated entities' activities. Secondary systems include primary system back-ups in case of disruption of services. Entities must maintain both systems in Turkey.
The entities must also inform their customers of the risks of services offered through electronic means and security measures taken by them.
Regulatory compliance
11. What are the key regulatory compliance issues faced by FinTech entities?
In addition to the banking and securities laws applicable to FinTech sector players, there are other regulatory compliance issues that must be considered by FinTech entities.
For the regulatory compliance issues faced by FinTech in relation to consumer protection laws, the Law No. 6502 on Protection of the Consumer, which entered into force on 28 May 2014 (Law on Consumer Protection) provides the general framework for protecting the economic benefits of consumers and aims to raise awareness on the consumer side. Banks and other financial institutions that extend loans or issue credit/debit cards must inform the consumer relating to any fees and expenses payable (other than the relevant interest payments) regarding such loans in accordance with the secondary legislation issued by the BRSA.
Furthermore, principles and provisions applicable to the execution of contracts relating to financial services (including banking services, extension of loans, insurance, private pension system (bireysel emeklilik sistemi), investments and payments) using a communication device (for example, phone, internet, mobile applications) are provided under the Law on Consumer Protection. The consumer must be fully informed of the consumer's obligations under the contract and the consumer's rights of termination. This information must be presented in a manner that is:
- Clear
- Understandable
- Compatible with the communication device that is being used
The relevant entity providing the financial services must ensure that all necessary records are kept relating to the referred communications.
In addition to the general provisions, payment entities and e-money entities are subject to further regulations with regard to relations with their customers, record keeping, and information security. Such entities are required to execute a framework agreement with their customers containing, among other information:
- Identification of both parties
- Scope of services to be provided
- The process that will be used for approving a payment order and revoking of such payment order
- Determination of the time of placing a payment order
- Operating hours of the payment system
- Any foreign exchange rate/information on calculation of foreign exchange rate
- Fees payable
Moreover, these entities must store all relevant documents and records domestically in Turkey, in a safe and accessible manner and take necessary precautions to prevent unauthorised access to such documents and records (Law on Payment Systems). Failure to comply with these requirements can result in criminal liability, and may be subject to payment of punitive fines and/or imprisonment.
Turkey enacted Law No. 6698 on Protection of Personal Data (Data Protection Law) on 7 April 2016. This long-awaited law, largely based on Directive 95/46/EC on data protection (Data Protection Directive), was enacted following the ratification of the European Council's Convention for the protection of individuals when processing personal data and on the free movement of such data and its related protocol.
Turkish companies must also comply with the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)) if they:
- Offer goods or services to data subjects in the EU
- Monitor the behaviour of EU data subjects that takes place in the EU (such as using online tracking tools to profile an individual)
In addition to the obligations imposed by the regulators (see Question 10), FinTech entities must comply with the Data Protection Law, its secondary legislation and to the extent applicable, with GDPR.
"Personal data" is defined as any information relating to an identified or identifiable person. The Data Protection Law does not provide specific examples of personal data. However, examples of personal data may include name, address, date of birth, e-mail address and employment-related information. The Data Protection Law also provides for a separate list of "special personal data", including information on:
- The appearance and clothing of the person
- Criminal records
- Biometric and genetic data
This is especially important for today's banking practices where banks use biometrics (face recognition, retina scan, palm scan, among others) to verify the identity of their customers.
The Data Protection Law distinguishes between "data controllers" and "data processors" and sets out their respective responsibilities. A data controller (veri sorumlusu) determines the objectives of, and means for, processing data. A data controller is responsible for the establishment and management of the data recording system. A data processor (veri işleyen) processes personal data based on authority given by the data controller. Data controllers and data processors may be individuals or legal entities.
The Turkish Data Protection Authority (Turkish DPA) keeps a publicly available database (VERBİS) and requires all data controllers who process personal data in Turkey to be registered with VERBİS. With its decision dated December 2019, the Turkish DPA set the following deadlines for certain data controllers to complete their registration with VERBİS:
- Legal entities with more than 50 employees annually, or whose annual total financial statement exceeds TRY25,000,000 (approximately USD4,500,000), must have registered before 30 June 2020
- Legal entities located abroad must have registered before 30 June 2020
- Legal entities with less than 50 employees annually and whose annual total financial statement is less than TRY25,000,000, but whose main business is processing special personal data, must register before 31 December 2020
Data controllers who become subject to the registration requirement after the deadlines listed above (as they fulfil the registration criteria) must register with VERBİS within 30 days upon fulfilment of the registration criteria.
There may be a variety of reasons to process personal data. However, processing must comply with the general principles set forth by the Data Protection Law, regardless of the purpose for processing. Accordingly, personal data must be processed lawfully, fairly and accurately and, where necessary, kept up-to-date. Data collected must:
- Be for a specific, explicit and legitimate purpose
- Be relevant and not disproportionate for the purpose for which it is being processed
- Not be held for longer than is required for such purpose
Processing may only be made with the express consent of the data subject. The Data Protection Law provides for certain exceptions to the consent requirement, for example, if the processing is required explicitly by law or directly related to the execution or performance of a contract (in this case only the personal data of the contracting parties may be processed). Processing of special personal data also requires the data subject's express consent or the existence of an explicit statutory exemption. Additionally, data controllers must take sufficient measures to protect special personal data. The Turkish DPA recently published a list of measures, which include the adoption of a separate policy for such data, regular training for employees and execution of confidentiality agreements with these employees, ensuring the security of the electronic platform or physical media where such data is kept and taking additional security measures when transferring such data.
Transfer of data is subject to the same rules and exceptions as the processing: In general, no transfer may be made without the express consent of the subject but under certain circumstances data may be transferred without consent. The same set of exceptions to the consent requirement applies to transfer of data. Transfer of personal data without consent is subject to further restrictions if the data is transferred outside of Turkey. Data controllers can transfer personal data to a recipient country with an adequate level of data protection, or where there is a written agreement with the data controller or processor in the recipient country if that recipient country does not have an adequate level of data protection. This agreement must be submitted to and approved by the Turkish DPA. While the Turkish DPA is still to announce the "white list" countries that will be deemed to have an adequate data protection level, it has announced the minimum required content of the above-mentioned agreement.
A data controller or its representative has disclosure obligations against the data subjects, which include the identity of the data controller or its representative, reasons for processing, to whom the data may be disclosed (recipient) and for what purpose. Data controllers must take any required administrative and technical precaution to maintain the necessary level of data security. If data is processed by another individual or legal entity on behalf of the data controller, the data controller is jointly responsible with the processor individual or legal entity for taking such precautions. Data controllers and processors may neither disclose personal data if not required by law nor use such data for a purpose other than the defined collection purpose. Data controllers must carry out necessary monitoring and audits to ensure compliance.
For know-your-client, anti-money laundering, and counter-terrorist financing regulations, the main regulatory institution in Turkey is the Financial Crimes Investigation Board (Mali Suçları Araştırma Kurulu) (MASAK) of the Ministry of Treasury and Finance.
Within this framework, MASAK imposes certain obligations on financial institutions and some professional organisations, including banks, capital market institutions, insurance companies, payment companies and e-money companies. These obligated institutions must, amongst other things:
- Implement know-your-client/customer identification mechanisms
- Report suspicious transactions
- Draw up and implement compliance programmes, including assignment of compliance officers and establishment of internal audit, control and risk management systems
MASAK and the information/technology systems regulations impose on financial entities know-your-client/know-your-customer requirements (see Question 10).
12. Do FinTech entities encounter any additional regulatory barriers in entering into partnerships or other arrangements with traditional financial services providers? How common are these arrangements in your jurisdiction?
There are no regulatory barriers for FinTech entities to enter into partnerships or other similar arrangements with traditional financial services providers. Recently established FinTech entities, such as start-ups and crowdfunded project entities may cooperate with traditional service providers, such as banks and other financial institutions.
In fact, many established banks in Turkey have institutionalised their efforts to promote and finance FinTech start-ups under angel-investment and incubation centre programmes.
Moreover, several local banks that have been providing internet banking services for over a decade, have established websites that enable entrepreneurs and software developers to produce FinTech applications using that bank's API. This provides start-ups with the opportunity to build FinTech tools using the bank's existing technological infrastructure, providing higher integration of start-ups to the existing ecosystem; while promoting bank's financial infrastructure as a platform that is open to growth and collaboration. Recently, certain FinTech companies have followed suit and allowed third-party developers and other users to use their APIs.
13. Do foreign FinTech entities intending to provide services in your jurisdiction encounter regulatory barriers that are different from domestic FinTech entities?
Under Law No. 4875 on Foreign Direct Investment, which entered into force on 17 June 2003, it is a statutory requirement under Turkish law that foreign investments are treated on equal terms with domestic investors. Accordingly, FinTech entities intending to provide services within the Turkish jurisdiction should not, by operation of law, encounter regulatory barriers that are different from domestic FinTech entities.
Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to foreign FinTech entities as they apply to domestic FinTech entities. These include, when applicable, obtaining an establishment and operating permit; and storing relevant documents and data domestically (that is, in Turkey).
14. What steps can be taken in your jurisdiction to protect FinTech innovations and inventions?
Among other categories of intellectual property, the Law on Industrial Property No. 6769 provides for the following categories of intellectual property to be registered and protected, which could be used for FinTech innovations in Turkey:
- Patents or utility models: A patent is a protection provided for inventions that are, in comparison to an artistic work product, technically complex and industrially applicable. A utility model is a weaker protection provided for inventions which are not complex enough to be registered as patents
- Industrial designs: Industrial design is a protection provided for original designs with unique characteristics created to technically complement a product in terms of its shape, size, colour, style, configuration, material, or any other specification or feature
Although not specifically targeting FinTech entities and investments, the following create a more favourable environment for the FinTech ecosystem in Turkey:
- The Corporate Tax Law No. 5520 introduced a corporate tax exemption for inventions created through research and development (R&D), innovation or software development activities provided that these inventions are protected by a patent or utility model under the applicable Turkish laws. 50% of the gains derived from the lease, sale or transfer of such inventions are corporate tax exempt. The exemption also applies to indemnity or insurance claims payments arising from the breach of the invention rights. In addition, if the invention is used in a product, the exemption applies to the gains derived from the sale of that product to such extent attributable to the invention
- The Law No. 5746 on Supporting Research, Development and Design Activities and the Law No. 4691 on Technology Development Zones introduced incentive and support mechanisms for R&D activities. Mechanisms encompass tax deductions and exemptions (including income tax and stamp tax), social security premium support and certain grants
- The Stamp Tax Law No. 488 exempts from stamp tax agreements and other documents of venture capital investment trusts (girişim sermayesi yatırım ortaklıkları) and venture capital investment funds (girişim sermayesi yatırım fonları) with regard to their venture capital investments
Government initiatives
15. To what extent have governments and/or regulators in your jurisdiction sought to create a more favourable regulatory environment for FinTech entities?
On several occasions, representatives of the relevant ministries and regulatory authorities, including the BRSA, have stated that governmental authorities are working in coordination to provide for an ideal regulatory environment to foster the growth of the FinTech sector, while protecting the members of the FinTech eco-system (including the service providers and the customers).
Under the 2019-2023 Development Plan announced by the Presidency in July 2019, action will be taken to further develop the FinTech sector in Turkey (some action has already been taken with the recent amendment to the Law on Payment Systems). Such action includes:
- Helping support a secure FinTech ecosystem based on international best practices, ensuring a level playing field among various entities
- Developing a roadmap to promote the FinTech sector and co-ordinate implementation through a single public authority
- Establishing the Istanbul Finance and Technology Base
- Establishing the Payment and Electronic Money Institutions Association of Turkey
- Providing a legal framework for open banking and align national legislation with the Directive (EU) 2015/2366 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) 1093/2010, and repealing Directive 2007/64/EC (Payment Services Directive) (referred to as PSD2)
- Introducing financial literacy classes in primary and secondary education and universities
Although traditionally the regulatory authorities have abstained from issuing or enforcing any regulation on cryptocurrencies, recently we have seen a more welcoming approach (see Question 9).
16. Are there any special regimes in place to facilitate access to capital for FinTech entities?
There are funds made available by Scientific and Technological Research Council of Turkey (TÜBİTAK) and European Union supported programmes, such as Horizon 2020, the EU's programme for research and development. However, FinTech entities have mostly relied on investment from angel investors, venture capital firms and banks.
The Council of Ministers Decree No. 2018/11662 dated 5 June 2018 (Decree No. 2018/11662) sets out the procedure for transferring funds from the Treasury budget to venture capital funds that provide financing to companies and/or projects. FinTech sector representatives expect to receive a sizable portion of these funds. In January 2019, the Ministry of Treasury and Finance announced its plan to allocate funds of up to TRY400 million in the next five years and invited venture capital funds to apply for evaluation.
17. Is the government taking measures to encourage foreign FinTech entities to establish a domestic presence?
The objective of the Turkish Government is to facilitate growth in Turkish financial markets, including FinTech, to position Turkey (and especially Istanbul) as a finance hub for the Europe Middle East Africa (EMEA) region.
The establishment of the Istanbul Finance Centre (Istanbul Finans Merkezi), a finance hub which will host regulatory authorities, conventional finance institutions, and FinTech start-ups, is currently in progress. The Turkish Government's intention is that, upon its expected completion in 2022, the Istanbul Finance Centre will be another incentive for foreign FinTech entities to establish a presence in Turkey.
Cross-border provision of services
18. Are there any special rules that affect the cross-border provision of financial products or services by both domestic and foreign FinTech entities?
Domestic FinTech entities
Under the Banking Law, the establishment of a foreign branch, establishment of or participation in a foreign partnership by a bank primarily established in Turkey is subject to the approval of the BRSA. Accordingly, banks may be subject to the approval of the BRSA with regards to the cross-border provision of financial products or services, if such activity entails the establishment of a foreign branch, establishment of or participation in a foreign partnership.
There is no blanket provision covering all domestic FinTech entities with regards to their cross-border activities. Accordingly, there are no special rules that affect the cross-border provision of financial products or services by domestic FinTech entities. In fact, several payment entities, and a payment platform established in Turkey, are already providing cross-border services.
Foreign FinTech entities
Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to all FinTech entities that are operating in Turkey. Accordingly, among other requirements, such entities may be required to obtain permits from relevant regulatory authorities and store relevant documents and data domestically (that is, in Turkey).
The future of FinTech
19. Are there any ongoing regulatory measures or initiatives that may affect FinTech in your jurisdiction?
In light of the official statements, the Financial Stability Committee stated in its statement dated 11 January 2018 that a working group comprised of all relevant ministries and regulatory authorities would be formed to draft the relevant legal framework for cryptocurrencies and blockchain-related activities (see Question 9). The Head of the Central Bank has stated that developments regarding digital currencies are followed closely by the Central Bank, and "if designed correctly, such digital currencies may contribute to financial stability". Turkey is also preparing to launch its blockchain-based digital central bank money (blokzincir tabanlı dijital merkez bankası parası) (see Question 9).
After entry into force of PSD2 (see Question 15) in Europe, Turkey has taken steps towards open banking and enabled the provision of payment initiation and account information services with a recent amendment which entered into force on 1 January 2020 (see Question 6). With the advancement of open banking, we also expect that further regulations will be introduced with respect to both data protection/privacy and combating financial fraud.
FinTech investments in Turkey have been channelled principally through the banking industry and payment systems. As new areas of interest emerge, such as blockchain, robo-advisors and alternative crowdfunding activities, new rules and regulations are expected to be introduced.