The long-awaited legislative amendment of the Financial Crimes Investigation Board of the Republic of Turkey Ministry of Treasury and Finance ('MASAK') took place on 25 December 2024.
Within the scope of the relevant amendment ('Amendment'), MASAK has made various amendments to the following regulations within the scope of MASAK legislation, taking into account the recent FATF guidelines and local reviews.
- Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism ('Measures Regulation')
- Regulation on the Programme for Compliance with the Obligations Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism ('Compliance Regulation')
- Regulation on the Procedures and Principles Regarding the Electronic Notification System of the Financial Crimes Investigation Board ('E-Notification System Regulation')
- The Financial Crimes Investigation Board General Communique No: 5 ('Communiqué №5')
- The Financial Crimes Investigation Board General Communique No: 19 ('Communiqué №19')
- Regulation on Laundering Offence Investigation
Issues Affecting FinTech Institutions
The consequences of the Amendment for payment and electronic money institutions ('FinTechs') are as follows.
- Prepaid Cards Are Limited in Usage Areas
- The Area of Use of Electronic Coins Issued within the Scope of Anonymous Account is Limited
- The Clause Exempting the Obtaining of a Signature Sample within the scope of Simplified Measures has been removed
- Simplified Measures in POS Services Abolished
- Crypto Asset Service Providers and Merchants Reclassified to Highly Risky Group Status
- Obligation for Payments to be made to ECSPs acquired by ECISPs through Simplified Measures to be made to the Bank Account
- Obligation to Make Additions to the Scope of the Institution's Policy Related to 'Freezing of Assets'
- Possibility of Appointing More Than One Compliance Officer
- Some Information for Identification of Natural Persons is Excluded from the Scope of the Regulation
- Third Party Reliance Requirements Tightened
- Verification of at least four security elements within the scope of Remote Identification has become sufficient
If we detail the above headings one by one;
Usage Areas of Prepaid Cards are Limited
With the Amendments made to Article 2.2.9 of the Communiqué No.5, the conditions for prepaid cards that do not require FinTechs to conduct standart due diligence have been tightened.
Within this scope, it is stipulated that the said cards i) are closed to cash withdrawal, ii) can only be used for the purchase of goods and services in the following cases and iii) can be used for invoice payments.
- Cases where the cardholder is physically present at the workplace and the card is physically used
- Purchases of goods and services to be made before the service provider and intermediary service providers that receive a trust stamp within the scope of the Communiqué on Trust Stamp in Electronic Commerce published in the Official Gazette dated 6/6/2017 and numbered 30088
Considering that the cards in question were generally open for the purchase of goods and services before the Amendment, it is seen that the new restriction limits the use of these cards, especially in digital media, to service providers (e-commerce sites) and intermediary service providers (e.g. marketplaces or app stores) that receive a trust stamp. It will not be possible to use prepaid cards that do not require identification within the scope of Article 2.2.9 in the presence of service providers and intermediary service providers that do not have this stamp, and for the use of the relevant cards in these channels, FinTechs will be required to perform Full KYC to the cardholder within the scope of the Regulation on Measures or the Communiqué No.19 regulating remote identification.
The amendments under Article 2.2.9 shall enter into force on 25 January 2025.
Usage Area of Electronic Money Issued within the Scope of Anonymous Account is Limited
With the new regulation made in Article 2.2.11 of the Communiqué No.5, the electronic money issued within the scope of the first paragraph of the Article are prohibited to be subject to cash withdrawal and the rule that these electronic money can be subject to the purchase of goods and services only in the following cases has been introduced.
- Only where the payer is physically present at the workplace and the payment instrument is physically used or,
- Goods and services to be procured from service providers and intermediary service providers that have received a trust stamp within the scope of the Communiqué on Trust Stamp in Electronic Commerce or,
- for use in bill payments.
Prior to the amendment, in order to have a smooth and easy customer onboarding process, FinTech institutions were making wallet users as customers (known as 'anonymous' in the sector) without identifying them within the scope of the first paragraph of Article 2.2.11 and allowing these users to use wallets limited to the monetary amounts and rules specified in Article 2.2.11.
With the amendment made, it is understood that from now on, users who are made customers within the scope of the first paragraph of Article 2.2.11 will not be able to withdraw cash from these wallets and will not be able to use the amounts in this wallet for all goods and services, but only in very limited areas -as stated above-. It is considered that the relevant amendment will significantly limit the use of wallets in digital ecosystem.
Finally, it should be noted that the rules on mobile payments under Article 2.2.11 have been preserved without any change. The fact that the Trust Stamp limitation on electronic money issuance is not imposed on mobile payments is considered to be positive, especially in terms of not restricting mobile payments in app stores.
The amendments under Article 2.2.11 shall enter into force on 25 January 2025.
The Clause Exempting the Obtaining of a Signature Sample within the scope of Simplified Measures has been removed
As is known, pursuant to the -former- second paragraph of Article 2.2.11 of Communique No. 5, FinTechs were allowed to remove the ₺2,750 limit on accounts with anonymous status for their customers after conducting the necessary database checks, and permit the issuance of electronic money for higher amounts without conducting face-to-face or remote identification.
With the Amendment, the paragraph allowing this opportunity has been removed from the Communiqué Serial No.5.
In this context, it is possible to say that FinTechs will have two models as 'anonymous' and 'Full KYC' within the scope of the first paragraph of Article 2.2.11 in customer acquisitions in wallet processes at this stage and there will be no other status.
!!! Institutions authorised to issue electronic money shall re-onboard their existing user in compliant with the new rules no later than 25 March 2025 . Within this period, the institution must take necessary measures to reach the customers who have not requested any transaction for the purpose of identification; If no transaction is requested by the customer within this period and the customer cannot be reached, the customer must be brought into compliance on the date of the first transaction request and before the transaction is executed.
Within the scope of these transitional provisions, it is seen that MASAK has imposed an active obligation on FinTechs to identify customers for whom identification has not been made. In this context, it is important for FinTechs to take the relevant steps and to be able to prove them in future audits.
!!! Pursuant to the last paragraph of the Provisional Article No. 5, those who have started the identification process in accordance with the Communiqué No. 19 may not establish a new business relationship within the scope of Article 2.2.11 as of the date of commencement of this process.
Due to the aforementioned provision, it is considered that FinTechs that have the technology in accordance with the Communiqué No.19 and have started to acquire customers within this scope will not be able to benefit from the exemptions granted during the transition period in terms of situations where identification is mandatory within the scope of Article 2.2.11 after the commencement date of the relevant process.
The amendments under Article 2.2.11 will enter into force on 25 January 2025.
Simplified Measures in POS Services Are No Longer Available
One of the amendments that will have the most significant impact on FinTechs is the fact that merchants receiving virtual terminal service ('POS Service') will no longer be able to identified through simplified measures.
With the removal of the third paragraph of the Communiqué No.5, it is no longer possible for FinTechs to onboard the merchants to which it provides POS Services as customers within the scope of simplified measures .
Therefore, FinTechs will be required to identify merchants without applying any simplified measures, i.e. by performing face-to-face or remote identification (Standard KYC) while providing POS Services.
!!! FinTechs are required to re-onboard the merchants already acquired in accordance with the provisions of Article 2.2.11 before 25 December 2025 into compliance with Articles 6 or 7 and other relevant articles of the Measures Regulation or the Communiqué No. 19 regulating remote identification by 25 March 2025. Within this period, necessary measures must be taken by the institution to reach the customers who have not requested any transaction for the purpose of identification; In the event that no transaction is requested by the customer within this period and the customer cannot be contacted, the harmonisation process must be carried out on the date of the customer's first transaction request and before the transaction is executed.
Within the scope of these transitional provisions, it is seen that MASAK has imposed an active obligation on FinTechs to carry out the identification of member merchants that have not been identified. In this context, it is important for FinTechs to take the relevant steps and to be able to prove them in future audits.
!!! Pursuant to the last paragraph of the Provisional Article No. 5, those who have started the identification process in accordance with the Communiqué No. 19 may not establish a new permanent relationship within the scope of Article 2.2.11 as of the commencement date of this process.
Due to the aforementioned provision, it is considered that FinTechs that have the technology in accordance with the Communiqué No.19 and have started to acquire customers within this scope will not be able to benefit from the exemptions granted during the transition period in terms of situations where identification is mandatory within the scope of Article 2.2.11 after the commencement date of the relevant process.
The amendments under Article 2.2.11 will enter into force on 25 January 2025.
Crypto Asset Service Providers and Merchants are Categorised as Highly Risky Group
With the addition made to Article 13 of the Compliance Regulation, crypto asset service providers ('CASPs') and merchants have been categorised as high-risk groups and it has been stipulated that some of the measures -which are already defined in the legislation- should be implemented at least for these groups.
As it is known, pursuant to Article 13 of the Compliance Regulation, obligors are obliged to implement one or more or all of the measures specified in the article in proportion to the identified risk in order to minimise the risk to be undertaken for the groups that they have identified as high risk as a result of the risk rating.
With the Amendment,
With respect to CASPs. Financial Institutions, including FinTechs, are obliged to take the following measures as a minimum in establishing a business relationship with CASPs:
- Obtaining as much information as possible about the source of the assets subject to the transaction and the funds belonging to the client,
- To learn about the purpose of the process,
- To make the establishment of a labour relationship subject to the approval of the senior official,
- To increase the number and frequency of controls applied and to keep the business relationship under close supervision by identifying the types of transactions that require additional control,
- To set limits on the amount and number of transactions.
In terms of Merchants. To FinTechs and banks, are obliged to take the following measures as a minimum in establishing a relationship with the merchants to which it provides terminal services, i.e. POS and in other transactions requiring identification:
- Obtain additional information about the client and update the credentials of the client and the actual beneficiary more frequently,
- To obtain additional information about the nature of the labour relationship,
- Obtaining as much information as possible about the source of the assets subject to the transaction and the funds belonging to the client,
- To learn about the purpose of the process,
- Making the entry into a business relationship, the continuation of an existing business relationship or the realisation of a transaction subject to the approval of a higher level official,
- To increase the number and frequency of controls applied and to keep the business relationship under close supervision by identifying the types of transactions that require additional control,
- Requiring the first financial transaction in the establishment of a permanent business relationship to be made from another financial institution to which the principles regarding the recognition of the customer are applied (not required to be made by banks).
- Regularly check that the terminals in question are used in accordance with the purpose of the business relationship or that they are not made available to other persons other than those permitted by the relevant legislation and to take necessary measures, including termination of the business relationship, in case of detection of any breach in this context.
Within the scope of the said regulation, FinTechs will be required to evaluate the member merchants to which it provides POS Services and the CASPs to which it opens corporate wallet accounts, if any, as a high-risk group and take the necessary measures.
!!! At this point, we would like to remind you that the CASPs cannot provide virtual POS to KVHSs in accordance with the provision 'Payment and electronic money institutions cannot intermediate platforms that offer trading, custody, transfer or issuance services related to crypto assets or fund transfers to be made from these platforms' within the scope of the 'Regulation on the Non-Use of Crypto Assets in Payments' dated 2021.
The effective date of the relevant Article is 25 February 2025.
Obligation to Make Additions to the Scope of the Institution's Policy Related to 'Freezing of Assets'
With the addition made to Article 7 of the Compliance Regulation, the rule that the Institutional Policy prepared within the scope of the MASAK Legislation shall cover the asset freezing decision and the actions related to this decision has been introduced.
Pursuant to the relevant article, the Institutional Policy should also cover the studies for the identification, assessment, monitoring and mitigation of the risk for the risks of violation, non-implementation and avoidance of asset freezing decisions within the scope of the Law on the Prevention of Financing of Terrorism dated 7/2/2013 and numbered 6415 and the Law on the Prevention of Financing the Proliferation of Weapons of Mass Destruction dated 27/12/2020 and numbered 7262, and advanced controls for the implementation of such sanctions.
On the other hand, the Obligors must fulfil the following obligations:
- Take measures for continuous monitoring of customers and transactions by taking into account asset freezing decisions and potential matching criteria in monitoring and control activities within the scope of the Institutional policy; and
- In this context, take into account the sender and recipient information in electronic transfer messages.
The effective date of the relevant article is 25 February 2025.
Possibility to Appoint More Than One Compliance Officer
With the addition to Article 16, f.3 of the Compliance Regulation, the possibility of appointing more than one compliance officer has been introduced for all obligors, including FinTechs.
In cases where more than one assistant compliance officer is to be appointed, the time requirement is sought for the appointment of the first assistant compliance officer.
Some Information for Identification of Natural Persons is Excluded from the Scope of the Regulation
With the amendment, taking into account the fields in the new ID cards, the obligation to obtain place of birth information in the identification of real persons within the scope of the Measures Regulation has been removed;
- The obligation to obtain birthplace information has been cancelled,
- For Turkish citizens, the obligation to obtain the names of the mother and father has been abolished,
- For non-Turkish nationals, it is now mandatory to obtain place of birth information.
These amendments have also been made with respect to officials of other persons (e.g. legal entities, trade unions, foundations, etc.) and natural persons identified under the simplified measure.
Third Party Reliance Requirements Tightened
Within the framework of the additions to Article 21 of the Measures Regulation, in order for the third party reliance method to be followed,
- The identification of the customer whose information is shared by the third party has not been made within the scope of simplified measures; and,
- In the event that a continuous business relationship is established through remote identification by the trusted institution, a rule has been introduced to ensure that digital images can be provided.
Pursuant to this amendment, FinTechs wishing to accept customers within the scope of third-party trust will be required to check whether the customer's identification at the third party is within the scope of simplified measures, and if the customer is identified through simplified measures by the third party, the relevant customer will not be subject to third party reliance mechanism.
Verification Of At Least Four Security Elements Has Become Sufficient For Remote Identification
The phrase 'of the elements' in subparagraph (a) of the third paragraph of Article 4/A of Communiqué No.19 has been amended as 'at least four of the elements'.
In this way, it has become sufficient to verify at least four, but not all, of the following elements.
'Visual security elements in the identity document, which are security elements that can be visually distinguished under white light, consisting of clothing, rainbow printing, optical variable ink, hidden image, hologram and micro writing, photograph and signature'
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.