Regulation Amending the Regulation on Payment Services and the Issuance of Electronic Money and the Communique Amending the Communique on Changes to the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers has been published in the Official Gazette as of 7 October 2023.
With the Official Gazette dated 7 October 2023 and numbered 32332, the Regulation Amending the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Amendment to the Communiqué on Payment and Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers. With the Communiqué, many new regulations were introduced, including the provision of digital wallet services, and were aligned with the European Union Payment Services Directive 2 regulation.
The Regulation Amending the Regulation on Payment Services and the Issuance of Electronic Money (“Amendment Regulation“) and the Regulation on Payment Services and the Issuance of Electronic Money (“Regulation“) have been published and by this way Regulation became aligned with the European Union Payment Services Directive 2 In this context, the key changes include:
- Principles for the provision of digital wallet services.
- The principle that payment service providers must treat parties equally when providing infrastructure.
- The content of information that organizations will share with banks regarding businesses, which will include business codes, tax identification numbers, and names.
- Changes in the process related to new applications.
- Facilitating changes related to fund transfers.
- Expanding the services that payment service providers can offer.
- Integration of interface provider definitions within the framework of service model banking.
- Updates to upper limits for certain insufficient amounts over time.
- Clarifications on legal transactions related to payment and electronic money funds.
- Additional financial obligations such as organizational and collateral structures.
- Provisions allowing customers to freely choose between card system organizations (Troy, MasterCard, Visa).
Similarly, changes have been made through the Communique Amending the Communique on Changes to the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers (“Amendment Communique“) and the Communique on Changes to the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers (“Communique“). In summary:
- Changes to monetary limits for the definition of anonymous prepaid instruments.
- Introduction of the definition of proximity communication.
- Provisions regarding audit trail records.
- Additions related to data privacy and critical information systems and security within the management of the external service procurement process for information systems.
- Limitations concerning information systems.
- Changes related to identity verification in processes conducted through remote communication tools.
The new Provisions introduced by the Amendment Regulation and Amendment Communique are detailed below.
The Principles for The Provision Of Digital Wallet Services Have Been Regulated.
With the Amendment Regulation, a digital wallet is defined as “a payment instrument that stores information related to the customer’s designated payment account or payment tool, offered as an electronic device, online service, or application, allowing the customer to conduct payment transactions using the information related to the designated payment account or payment tool.” It is stipulated that digital wallet services can only be provided by payment service providers. To operate within the scope of issuing or accepting payment instruments, an organization offering digital wallet services must be authorized, at a minimum, for the issuance of payment instruments. Furthermore:
- If a digital wallet is used as a payment tool in businesses, and if the funds related to the payment transaction are transferred through the organization providing digital wallet services, the organization must hold an electronic money license to issue electronic money.
- If, in a payment transaction to be conducted at businesses, another payment service provider’s payment account or payment instrument issued by another payment service provider is directly used, as defined within the digital wallet, the organization must have a payment initiation service license.
The Amendment Regulation also provides a detailed examination of which business models are not subject to digital wallet provisions.
The Principle that Payment Service Providers Will Treat Parties Equally When Providing Infrastructure Services Has Been Stipulated.
When a payment service provider has control over the payment account services and infrastructure services related to payment services that it offers, and these services are used by other payment service providers, including payment service providers who also have control, it is regulated that the payment service provider providing the same type of services must offer these services to other payment service providers, including the one with control, under the same terms, conditions, and pricing policies.
Furthermore, when a payment service provider holds control over another payment service provider, including the one offering payment account services and infrastructure services related to payment services, and these services are used by other payment service providers, it is also stipulated that the payment service provider with control cannot direct or compel its own customers to receive services from the payment service provider under its control in a manner that would give it an advantage over other payment service providers.
In summary, the responsibility to issue payment instruments in accordance with the customer’s preferred card system organization[1] is imposed. Exceptions are made for cases where contrary practices may occur due to legal obligations and security, operational, and technical reasonable requirements arising from provisions.
Qualified Services Have Been Defined.
With the Amendment Regulation, qualified services are defined as services that facilitate, secure, or enhance the payment services offered to individuals by supporting their financial situation and financial awareness, including individual budget management, invoice management, account verification, payment reminders, which are not covered by the Payment Services and Electronic Money Institutions Law under the scope of payment services.
New Provisions Introduced for the Authorization Process.
Regarding the documents required for the authorization process as defined in the Regulation, it is stated that if any deficiencies in the information and documents are not remedied within three months from the date of notification by the Central Bank of the Republic of Turkey Joint Stock Company (“CBRT“), the application will be deemed not to have been submitted to the CBRT.
Additionally, new additions have been made concerning the necessary information and documents. Accordingly, commitments stating that the capital in the company is funded from its own resources and is provided in cash and free from any kind of evasion, as well as an insolvency concordat document obtained from the relevant trade registry office regarding individuals and the companies in which these individuals directly own at least 33%, along with a document related to the Findeks credit score, must also be submitted.
Regarding deficiencies in the information and documents for applications to expand activities, if such deficiencies are not remedied within six months from the date of notification by the CBRT, the application for expanding activities will be considered as not submitted to the CBRT. If these organizations wish to reapply for expanding their activities, the process for expanding activities will start anew.
Certain Share Acquisitions and Transfers are Exempt from CBRT Approval:
It has been stated that share acquisitions and transfers occurring between companies within the same group in a manner that does not result in any change in the ownership percentage of the ultimate shareholders, either directly or indirectly, in the organization are not subject to CBRT approval. However, in the event of such share transfers, they must be reported to the CBRT within ten business days after the organization becomes aware of them. If, in share acquisition transfers reported to the CBRT, it is determined that the condition of having a transparent and open ownership structure that does not hinder CBRT’s supervision has not been met, the CBRT is authorized to halt the transfer process and, if the transaction has already been completed, to require actions to be taken to revert to the previous state.
The Scope of Services that Payment Service Providers Can Offer Has Been Expanded.
According to the Regulation, an organization’s activities were previously limited to those deemed suitable by the CBRT among those specified in their authorization applications. With the Amendment Regulation; however, organizations will now be able to engage in the following activities:
- Value-added services for legal entities and qualified services for individuals,
- Services provided as an interface provider within the scope of the Regulation on the Principles of Operation of Digital Banks and Service Model Banking,
- Ancillary services that may increase the use of the organization’s payment services, such as marketing to customers for accessing the services of financial institutions regulated and supervised by a competent authority in accordance with relevant legislation and directing customers to the systems of the relevant financial institution,
- Services related to the purchase and sale of processed precious metals and precious stones as specified in Decree No. 32 on the Protection of the Value of Turkish Currency, provided that the maximum transaction volume to be intermediated by the organization within one month is limited to 1% of the payment volume of the previous calendar year.
The Upper Limit for Lending Has Been Increased.
The Regulation had previously stipulated that for payment transactions carried out by being reflected on the invoice issued by an information or electronic communication operator, the operator is required to determine an upper limit for the total monthly expenditure amount for all lines owned by the customer with the relevant electronic communication operator. However, with the Amendment Regulation, the upper limits have been increased: from TRY 500 per transaction to TRY 1,000 per transaction, and from TRY 1,250 per month for the total monthly expenditure for all lines owned by the customer to TRY 2,750 per month. Additionally, the due date for the invoice payment, which was previously 15 days from the last payment date, has been changed to 30 days.
New Provisions Regarding Representatives.
The Amendment Regulation stipulates that a separate list will be created within the Turkey Payment and Electronic Money Institutions Association (“TÖDEB”) for individuals whose representative relationship has been terminated, and they will remain on this list for five calendar years from the termination of the representation relationship. The list will contain information about the organization in TÖDEB, including its trade name, address, and website address, as well as information about the representative, including their MERSIS number, field of activity, and address, including sole proprietorships.
New Provisions for the Creation of Audit Trails.
With the Amendment Communique, regarding the creation of audit trails, it is required that audit trails for transactions that occurred before the audit trail registration system is reactivated must be recorded in the audit trail registration system after it is reactivated, while ensuring the security and integrity of the data. In cases where the audit trail registration system is not operational but transactions continue to take place, the responsibility to prove that the transactions were carried out in compliance with legal provisions will be the responsibility of the organization.
Obligation to Exercise Caution in the Management of Outsourced Services Related to Information Systems.
An obligation to exercise maximum caution has been introduced for the procurement of products and services related to critical information systems and security, requiring that they be produced in Turkey or that their manufacturers have research and development centers in Turkey. Such providers and manufacturers are also required to have intervention teams in Turkey. The CBRT is authorized to set additional requirements regarding the security products and other information technology components that organizations use.
Exception for Cross Border Data Transfer in Information System Restrictions.
In cases where one of the parties to a payment transaction (either the payer or the service provider) is located abroad, the organization may share the data with relevant third parties abroad, subject to the condition that the data continues to be stored domestically, and only to the extent required for the smooth execution of the payment transaction, in accordance with the principle of proportionality and based on customer requests or instructions related to the payment transaction. This is also subject to compliance with the obligations of the Personal Data Protection Law numbered 6698.
The CBRT has the authority to suspend such overseas data transfers or impose additional restrictions on them if it determines, as a result of its assessment, that they would negatively impact the development of the payment sector.
New Provisions Introduced for Remote Identity Verification.
The Amendment Notification includes several changes and new provisions under the section titled “Processes to be Conducted with Remote Communication.” The key provisions introduced are as follows:
- Verification of the authenticity of the document and the data and information contained in the document primarily by using near-field communication technology, conducting tests for security features that can be visually distinguished under white light, such as photographs and signatures, and recording the process of visually inspecting both the front and back of the document continuously.
- In cases where verification cannot be carried out for any reason using NFC, the authenticity of the document and the data and information contained in the document shall be verified using optical character recognition, card readers, or other methods determined by the CBRT, with consideration of the opinions of the Financial Crimes Investigation Board (“FCIB”). Similar to the previous point, this process also involves conducting tests for security features that can be visually distinguished under white light, such as photographs and signatures, and recording the process of visually inspecting both the front and back of the document continuously.
- Recording the consent and explicit approval of the person to be identified for the use of biometric data and the remote communication process.
- In contracts established through remote communication means, after remote identity verification or face-to-face identity verification of the customer, if the customer’s preference is to establish the contract through an electronic channel, strong identity authentication must be conducted, and the customer’s contractual declaration must be obtained through the same electronic channel.
Other Provisions
- While changes to the company name were subject to CBRT approval in the Regulation, the Amendment Regulation now requires such changes to be reported to the CBRT.
- A requirement for at least one risk management personnel to be a full-time employee of the organization has been introduced.
- The definition of anonymous prepaid instruments now includes “remaining below the monetary limits specified in the General Communiqué on Reporting Suspicious Transactions (Serial No: 5) of the Financial Crimes Investigation Board.”
- Near-field communication is defined as “a short-range wireless connectivity technology that enables data transmission over a magnetic field created by bringing or closely approaching electronic devices together for communication between them.“
Transitional Provisions
- Payment service providers that do not provide direct online access to their customers for their existing payment accounts must fulfill their obligation to connect to the Interbank Card Center Inc. within six months after obtaining the necessary permissions following the commencement of their operations, no later than 31 December
- Those who have applied for an operating license from the CBRT and whose license evaluation process is ongoing will be able to provide data sharing services with non-standard services until June 30, 2024, using the technical requirements set forth. CBRT is authorized to extend this period, not exceeding six months.
- Organizations authorized by the CBRT to provide the service of initiating payment orders related to payment accounts held at another payment service provider upon the request of the payment service user, subject to obtaining the payment service user’s consent, will be able to provide data sharing services regarding payment accounts held at payment service providers who are not among the top ten participants in terms of the total number of payment transactions made to accounts within the Bank Payment Systems in 2020 until 30 June 2024, using non-standard services, with respect to payments made to accounts conducted in 2020 within the Bank Payment Systems, in terms of technical requirements.
- Licenses required for services falling within the scope of digital wallets must be obtained by 7 October 2024.
- The TÖDEB will determine the minimum elements that must be included in the receipts provided to customers by electronic money institutions by 31 December 2023, at the latest.
You can access the Regulation Amending the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers through this link; you can find the Amendment to the Communique on Changes to the Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services through this link.
[1] With the Amendment Regulation, card system organizations are defined as “organizations that establish a banking card or credit card system and are authorized to issue cards or enter into merchant agreements under this system,” with reference to the definition in Article 3/1(f) of the Banking Cards and Credit Cards Law.