For further information,
please contact:
Legal Alerts

Central Bank Guidelines on Open Banking Service

Legal Alerts
Fintech
General

Recent Developments

Last October, the Central Bank of the Republic of Türkiye (the “CBRT“) published the guidelines (the “Guidelines“) aiming to ensure compliance with the legislation and uniformity in operating licenses to be granted by the CBRT by correlating the payment services regulated under the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the “Law“) and the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (the “Regulation“) with the business models in the field of payments. You can access our newsletter dated October 10, 2022 regarding the Guidelines here.

This time, on December 30, 2022, the CBRT published the Guidelines on Data Sharing Services for Payment Services (the “DSSPS Guidelines“), which provide detailed information on (i) Payment Order Initiation Service and (ii) Account Information Service, referred to as Data Sharing Services for Payment Services (the “DSSPS“), regulated by the Law and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services Area (the “Communiqué“).

The DSSPS Guidelines provide detailed explanations as to whether certain frequently used business models in the field of payments require an operating license for payment order initiation services and account information services, and the licensing and technical certification process. However, the DSSPS Guidelines state that evaluations elaborated thereunder only provide general framework and final evaluations will be subject to review of the CBRT upon official applications for operating licenses. You can access the DSSPS Guidelines here.

What’s new?

Exemplary Business Models and Respective Evaluations within the Scope of the DSSPS Guidelines
  1. Account Information Services

As elaborated in the Communiqué, Account Information Service is defined as presentation of the data collected by the Account Information Service Provider licensed within the scope of the payment services from payment service user’s accounts with different Account Service Providers. Institutions providing such services are required to obtain an operating license from the CBRT in accordance with subparagraph (g) of the first paragraph of Article 12 of the Law.

The DSSPS Guidelines shed light as to whether an operating license is required for various business models implemented in the sector. In this respect, the following criteria are taken as a basis for identifying a service as an “Account Information Service”:

  • If the service provider enters into direct agreements with the account service providers in order to receive responses to the inquiries they pose with certain frequencies through their own firm infrastructure, and if the service provider directly deals with the account service providers and they are technically/administratively/legally liable to these parties and client data is directly transmitted by the account service providers to the service provider that will provide account information services, the service in question is considered Account Information Service and requires an operating license under the Law.
  • If the service provider does not enter into a direct legal relationship with the account service providers where the client accounts are held, but instead the client signs a web services protocol with the account service provider and shares the account activity data with the service provider itself, the service provider’s efforts are not considered Account Information Service.

It is also stated that whether the client accesses the Bank with an IP belonging to the client or to the     service provider does not change the evaluation. The situation must be evaluated within the scope of     outsourcing services by a technology company by the client, the legal/contractual counterparty of the     bank being still the client.

  • The DSSPS Guidelines do not consider it a payment service for a technology firm to sell white-labeled software or lease a license for such software that is used for consolidating web services for the purpose of providing its customers with “Account Activity and Online Bulk Transfer Web Services” related to the customers’ accounts with account service providers. The service in question is considered as a technical service.

In addition, it clarifies that if the client is a holding company, the access of its holding companies with a single IP is considered within the scope of the DSSPS and there is no need to obtain a license and they may rely on the exemption in the Law regarding payment services that are realized between the parent company and its subsidiaries or between the subsidiaries that are not intermediated by any payment service provider other than a company belonging to the same group.

2. Payment Order Initiation Service

The DSSPS Guidelines define a payment order initiation service as intermediation by a licensed Payment Order Initiation Service Provider of payment service users to place a payment order for payment from a payment account before another payment service provider.

Accordingly, the DSSPS Guidelines clarify whether an operating license is required for various business models implemented in the sector as follows:

  • If the service provider enters into direct agreements with the institutions where their clients’ accounts are held and are direct counterparties to these institutions being technically/administratively/legally liable to them, the service in question is considered Payment Order Initiation Service and requires an operating license under the Law.

In addition, if the payment institution obtains the client’s account information (balance, account activities, etc.) from the relevant Account Service Providers and provides it to the client, it must also obtain an operating license from the CBRT for the Account Information Service.

  • The payment flow, in which a payment institution stores its clients’ bank cards in the digital wallet offered by the payment institution and the payment institution acts as an intermediary for the clients to transfer funds from their cards in this digital wallet (from the linked payment account) to the payment institution’s contracted merchant account using the payment institution’s application, is considered Ppayment Order Initiation service and requires an operating license under the Law.

Evaluations on Frequently Asked Questions

  • The DSSPS Guidelines clarify that service providers that currently provide Account Information Service and/or Payment Order Initiation Service, but have not applied to the CBRT for an operating license for these services, may continue to operate as the representative of an institution that has obtained an operating license, as long as they comply with the provisions of the CBRT Instruction dated December 13, 2021 on “Contracts”, particularly the contracts to be concluded with the client, and the provisions regarding representation of the Regulation and Communiqué.
  • Banks’ online account statement sharing services are also considered Account Information Services. In case such service is provided through technology companies (assuming they have direct agreements with these companies), it is considered that the technology companies providing the said service must also obtain a license.
  • Pursuant to the Regulation, payment institutions can provide information services for the accounts of legal entities and merchants that are not considered payment accounts, regarding their administrative and operational processes. DSSPS Guidelines state that if the validity of the consent for processing of customer’s account information expires or the customer removes their consent, their data may continue to be stored with the customer’s approval. However, the DSSPS Guidelines emphasize that data other than audit trail data must be deleted if the relationship between the customer and the payment organization is terminated.
  • DSSPS Guidelines regulate that counterparty information such as Turkish identity number, tax identification number, IBAN and account number can only be displayed by masking.
  • The DSSPS Guidelines clarify that the Account Information Service and the Payment Order Initiation Service are not prerequisites for each other. In this regard, a license application can be applied separately only for Account Information Service or only for the Payment Order Initiation Service, or for both at the same time.