There have been various legal developments in Turkey with regards to 'open banking' since the beginning of 2020.
First, the an amendment on the Law on Payment and Securities Settlement Systems, Payment Systems and Electronic Money Institutions numbered 6493 ("Payment Law") has become effective as of 1 January, which defined account information services (AIS) and payment initiation services (PIS) for the first time under Turkish payment regulations. Although the Payment Law does not explicitly mention 'open banking' services, the services that are offered within the meaning of 'open banking' in PSD2 are regulated under Payment Law.
Then, 'open banking' services have been explicitly defined another banking related regulation; Regulation on the Information System of Banks and Electronic Banking Services ("Banking Regulation"). The definition therein is as follows:
"Open banking services: Electronic distribution channel where customers or parties acting on behalf of the customers can conduct or may instruct the banks to conduct banking operations by remotely accessing financial services provided by banks through methods such as API, web services, document transfer protocol"
As you may observe from its definition, the scope of open banking placed under the Banking Regulation is not the same with the 'open banking' services offered under the PSD2 or the Payment Law.
Thus, right now there is a duality under Turkish Law with regards to 'open banking': (i) one under Payment Law (the conventional 'open banking' through AIS and PIS third party providers (TPPs)) and (ii) the other leg is defined under Banking Regulation and regulates the relationship between the open banking providers (note!: not limited with AISP and PISP) and the banks.
Payment Law is the legal instrument regulating payment and e-money services (also payment systems). It is modelled after PSD1 and via subsequent amendments, it is gradually being made more consistent with PSD2 (full consistency is not yet achieved). With the amendment effective from 1 January, AIS and PIS services are now defined in the Payment Law and regarded as "payment services" that necessitates a license to be obtained (there is no separate licensing scheme for these services, they are required to obtain a regular 'payment service provider' license).
Important point to not here is, both AISP and PISP services are offered by accessing a payment account held by another payment service provider which could be a bank, payment institution, or e-money institution. If the service allows access to payment accounts held by a bank, it may be subjected to the 'open banking' provisions of Banking Regulation (see the graphic above).
One of the most critical aspects of 'open banking' and currently a missing piece under Turkish payment regulation is the mandatory account access for third party providers. Unlike PSD2, mandatory access is not regulated under the main legislation but instead, Central Bank is granted a broad authority to determine the rules regarding access to account information:
"The [Central] Bank is authorized to determine all procedures and principles regarding sharing of data held by a payment service provider with other service providers within the scope of [PISP] and [AISP] services that defined under Article 12."
To see how Central Bank handles the issue of mandatory access remains to be seen but our expectation is that they will follow the EU's path and make the account access mandatory for all payment service providers.
On 15 March 2020, banking authority of Turkey ("BRSA") published a regulation concerning information system management in banks and electronic banking services, the Banking Regulation. Banking regulation defined a new term called 'open banking services' (literal translation from Turkish):
"Open banking services: Electronic distribution channel where customers or parties acting on behalf of the customers can conduct or may instruct the banks to conduct banking operations by remotely accessing financial services provided by banks through methods such as API, web services, document transfer protocol"
As one may read from the definition, 'open banking services' defined by the Banking Regulation, is somewhat broader in terms of its scope compared to the traditional 'open banking' as understood under PSD2. The following elements of the 'open banking services' within the Banking Regulation that can be deduced from the definition:
The type of services are which will be considered within the scope of definition are not clearly defined under the Banking Regulation (BRSA is granted a broad authority to decide the banking services that can be offered over open banking services and only these service types will be able to be offered via open banking).
The only exceptional banking service that is clearly stated as can be offered over open banking services within the Banking Regulation is "remote identity verification services" within the scope of AML-KYC obligations of banks. Accordingly, a bank can procure identity verification services to verify its customers' identity from other banks which have previously verified the customers' identity, through open banking channels.
There are two points of divergence between the Banking Regulation's 'open banking' and the conventional 'open banking' of PSD2:
(i) the definition provided under Banking Regulation only covers services that allows access to financial services offered those offered by banks. Therefore, for example a third-party service provider accessing payment accounts of a payment service provider or e-money issuer won't be falling under the scope of 'open banking' defined under the Banking Regulation.
(ii) The access is not limited with access to payment accounts operated by banks; for example, a third-party service provider accessing to identity verification systems of a bank will fall under the scope of open banking defined under Banking Regulation. In contrast, open banking services defined under the Payment Law specifically requires the service provider to be working over a 'payment account' held by any payment service provider for it to be regarded as a payment service - and therefore, be within the scope of Payment Law.
Currently there are no information which services will be considered within the definition of 'open banking' under Banking Law. Banking Regulation and Supervision Agency ("BRSA") has been granted with the authority by the Banking Regulation to determine which services can be offered through open banking channels and to determine principles and procedures regarding such services.
Due to the duality caused by both these regulations concerning open banking, certain open banking services could be subjected to both regulations while others will only be subjected to one. To illustrate:
Short answer, not yet.
As stated, currently preparation of secondary legislation (by Central Bank and BRSA) is waited. Deadline given to the Central Bank is until 1 January 2021, but we expect a call to the sector for feedback made over the draft version before this deadline.
Among many others, two critical issues remain to be regulated which we believe deserve particular attention:
(i) In both Payment Law and Banking Regulation "mandatory account access for third party providers" is not regulated. Either of the regulations do not specify any obligation for mandatory account access allowance for TPPs. There is no clear provision that states payment service provider or banks, to be more specific, are required to provide API access to TPPs. We expect this issue to be specified by upcoming secondary regulations and guidance to be provided by Central Bank and BRSA.
(ii) Banking Regulation is silent on which services can be provided via 'open banking services' as defined under Banking Regulation. Remote identity verification services are the only exception to this uncertainty, as it is clearly specified within the regulation as a service that can be provided by a bank through open banking services to another bank.
We will be providing updates as more details uncover about the regulatory regime of 'open banking' in Turkey.
