The Central Bank of the Republic of Türkiye (“CBRT“) made amendments to the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services (“Communiqué“). These were published in Official Gazette No. 32332 on October 7, 2023. With the amendments, regulations have been introduced regarding the establishment of internet-based methods for identification in terms of transactions carried out by means of “near field communication” and remote communication. Procedures and principles regarding the transfer of data to relevant third parties abroad, based on a request or instruction from the customer regarding the payment transaction, have been determined. The procedures and principles regarding the transfer of data to relevant third parties abroad based on a request or instruction from the customer regarding the payment transaction have been regulated.
The amendments made to the Communiqué are available here (in Turkish).
With the amendments, the concept of “near field communication” is included in the scope of the Communiqué. Accordingly, Article 3 of the Communiqué defines “near field communication” as a short-range wireless connection technology in which data is transmitted through the magnetic field generated by bringing electronic devices into physical contact with each other or by bringing them closer to each other without contact to ensure communication between them.
Article 13/8 of the Communiqué on the creation of audit trails regulates the procedures and principles to be followed if the audit trail registration system ceases for any reason. In this regard, although it is essential that no transactions take place until the audit trail registration system has been reactivated, if a transaction takes place during this period, the audit trails of such transaction shall be recorded in the audit trail registration system by preserving the system’s security and integrity. In parallel to this, payment and electronic money institutions (“Institutions“) are obliged to prove that all transactions carried out during this period were carried out by authorized persons in accordance with the provisions of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué. They are also obliged to compensate the parties if any party suffers any loss due to these transactions.
With respect to procuring outsourced services related to information systems, Article 16/12 of the Communiqué provides that the provisions of Article 16/9, which cover the minimum elements in outsourcing contracts, shall be applied to the extent appropriate to the nature of the contract, for service procurement contracts that do not have the potential to affect the confidentiality, integrity and accessibility of data and the continuity of the service provided by Institutions; that do not result in the sharing of sensitive customer data and customer information with the outsourcing service provider; and that are not designed and offered specifically for Institutions. Moreover, Article 16/13 of the Communiqué stipulates that, for products and services to be procured within the scope of critical information systems and security, utmost care shall be taken to ensure that these products and services are manufactured in Türkiye or that their manufacturers’ research and development centers are located in Türkiye. It also stipulates that this will be considered a crucial criterion for outsourcing services.
Similarly, with the last paragraph added to Article 21 of the Communiqué, which sets out the limitations on information systems, in cases where the party to the payment transaction or the service provider is located abroad, Institutions are allowed to transfer the required data to the relevant third parties abroad, based on a request or instruction from the customer regarding the payment transaction, without prejudice to the obligations under Article 9 of Law No. 6698 on the Protection of Personal Data. However, certain conditions are stipulated for this transfer to be lawful. Accordingly, to transfer the required data abroad, (i) the data must continue to be stored domestically, (ii) the transfer must be limited to the extent necessary to smoothly process the payment transaction, (iii) the transfer must comply with the proportionality principle, and (iv) the transfer must be based on a request or instruction from the customer regarding the payment transaction. In addition, it is indicated that the CBRT may suspend or impose additional restrictions on transfers if it believes that the development of the payments area would be adversely affected.
With the amendment to the Communiqué, Institutions are required to use an internet-based method that will allow remote identification and verification of the person to be identified in a process carried out by means of remote communication if a central structure approved by the CBRT cannot be used. Minimum requirements have been determined to follow this method.
The Communiqué amendment specifies the formal requirements and security measures to be taken regarding the processes to be carried out through remote communication tools regulated in Articles 22/7 and 22/8 of the Communique are specified for “persons to be identified” with the Communique amendment and the written form requirement will continue to apply.
The Communiqué amendments also stipulates that, in contracts to be established by means of remote communication, if the customer prefers to establish the contractual relationship via an online video call or electronic channel, their declaration of will establishing the contract must be received over the same electronic channel after strong authentication within the scope of Article 10 of the Communiqué. In addition, it states that, if a person is identified remotely within the scope of the Communiqué, the requirements of strong authentication under the Communiqué will also be deemed to be fulfilled.
Within the framework of the provisional regulations in the Communiqué, payment service providers that do not provide direct online access to their customers are required to fulfill their obligations under Article 24/1 of the Communiqué until December 31, 2025. In addition, it is specified that payment service providers that have payment accounts at their disposal may provide the services related to data sharing services to the persons specified under the Communiqué using nonstandard services until June 30, 2024.
Furthermore, it is regulated that the following organizations may provide data sharing services, for which the technical requirements are specified under Article 24/1 of the Communiqué, using nonstandard services until June 30, 2024:
a. Pursuant to Provisional Article 3/3 of Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, those who have applied for an operating license to the CBRT and whose operating license evaluation process is ongoing
b. Institutions that meet the criteria specified in the Communiqué and have obtained permission from the CBRT to provide payment services
The Communiqué authorizes the CBRT to extend this period for a maximum of six months.
The Communiqué amendments introduces the concept of “near field communication” as part of the steps to adapt to the digitalized world. It also re-regulates the procedures that Institutions must follow when remotely identifying and verifying the person to be identified in transactions conducted by means of remote communication. In addition, it determines the necessary conditions for lawfully transferring the required data to the relevant third parties abroad, based on a request or instruction received from the customer regarding the payment transaction. Within the scope of the amendments, it is essential for Institutions to carry out the necessary compliance actions.