The Turkish Banking Regulation and Supervision Agency ("BRSA") has recently specified the details regarding the Banking As A Service ("BaaS") business model.

As known, The BaaS stands out as a rising business model in the finance sector wherein banks increase their inclusiveness by providing infrastructure to other sectors.

With the aim to avoid legal uncertainties and non-compliance risks as to the BaaS, the BRSA has published the "Regulation on Operating Principles of Digital Banks and Service Model Banking" ("Regulation"). The Regulation has entered into force on January 01, 2022.

The critical topics of the Regulation can be summarized as follows:

What is the definition of BaaS in the "Regulation"?

The parties to the business model of BaaS are defined in the Regulation as follows:

  • "Service bank" means "a bank that offers BaaS service,"
  • "Interface Provider" means "a business established in the form of a capital company that enables its customers to perform banking transactions (via a mobile application or an internet browser-based interface) by providing access to banking services offered by the service bank (through open banking services of the service bank.)."

In this context, a service bank could be any bank specified in the Banking Law numbered 5411 and that an interface provider is a financial technology company or any other business that enables its customers to perform banking transactions through their mobile applications or internet browser-based interfaces.

It should be noted that banks are explicitly prohibited from acting as an interface provider under the Regulation.

Based on these definitions, the BaaS is defined as "a banking service model, in which customers can perform banking transactions through the service bank by directly connecting with the systems of the service bank via open banking services offered via the interface of the interface provider."

Locality Requirement for the Interface Providers

The Regulation stipulates that service banks are allowed to provide service model banking services only via domestically resident interface providers.

From this provision, it is understood that interface providers that are not established in Turkey are not allowed to benefit from the BaaS even if they provide service to users in Turkey, and companies that intend to benefit from this service must have a company established in Turkey.

Prohibition on Use of Expressions That Might Give Wrong Impressions Before the Customers

In the Regulation, it is stipulated that the interface providers are not allowed to use the name of any payment service provider, such as a bank or payment institution and electronic money institution, without obtaining necessary permissions, in their trade names, documentation, announcements, advertisements, or public statements, any words, and phrases.

Besides, the interface providers are prohibited from using expressions that would lead to an impression that they operate as a bank or non-bank payment service provider, collect deposits and participation funds like a bank, or collect funds as a payment service provider.

Contractual Relationships Between a Service Bank, an Interface Provider, and Customers

With the Regulation, the BRSA also introduced some arrangements regarding the relationships between a service bank, an interface provider, and customers of the interface provider who will benefit from banking services.

In this context, for a customer of the interface provider to benefit from a BaaS service, the customer is required to sign a contract with both the interface provider and the service bank.

In addition, it is stipulated that the service bank will be the sole deciding part on whether or not to provide banking services to a customer through BaaS over the interface of an interface provider, including decisions on loan granting and banking services to be provided to the customer will be rendered through the balance sheet of the service bank.

Security Levels of Interface Providers' Interfaces

With respect to the contracts to be established in an electronic environment between customers of the interface provider and the bank, the Regulation imposes an obligation to carry out the process in accordance with the Banking legislation. Furthermore, the Regulation requires the identification process to be conducted by the service bank, i.e., not the interface provider. For this reason, we may conclude that mobile applications or internet browser-based interfaces of interface providers should have a security level equivalent to that of the banks.

In addition, if the process of establishing a contractual relationship between the service bank and the customer is initiated through the interface of an interface provider and also completed through these service channels, the mentioned service channels of the interface provider must conform to the security criteria described in the Regulation on Banks' Information Systems and Electronic Banking Services ("Regulation on Information Systems") and must provide assurance that whatever information is revealed to the customer as the content of the contract, only such information would be approved by the customer. The responsibility to comply with this obligation belongs to the service bank.

Furthermore, the interface provider and the service bank are jointly responsible for ensuring that the mobile application or internet browser-based interface of the interface provider, which the customer uses to access the services offered by the service bank, complies with the authentication and transaction security obligations set out in the Regulation on Information Systems.

Interface Providers are subject to the Regulation on Support Services

Pursuant to the Regulation, an interface provider shall be considered a support service organization as defined in the Regulation on Support Services in that, in addition to receiving service from the service bank, they mediate the establishment of a contractual relationship between the service bank and the customer, or they enable the customer to be provided with banking services by the service bank through the interface provided under the said contract.

The ability to provide support services to a service bank as an interface provider is subject to the permission of the Board, in accordance with the Organizational Bylaws of the BRSA, in a way that will be perfected by the service unit in charge of on-site inspection of the information systems of the institutions subject to the supervision and control of the BRSA.

Systems Used by Interface Providers and Their Backups

The Regulation states that the systems used by an interface provider in carrying out its activities related to the support services offered to service banks, and their backups are covered by primary systems.

Accordingly, the sharing of confidential information, which the service bank will make with the interface provider in this context, has been included in the scope of exceptions on data exchanges performed using the support services listed in the Regulation on Sharing of Confidential Information.

Minimum Compulsory Elements of a Service Contract Held Between a Service Bank and an Interface Provider

The minimum provisions that should be included in a service contract between a service bank and an interface provider are listed one by one in the Regulation. It would not be wrong to say that these provisions draw the limits of how the service banking model will be run.

In this context, it is possible to summarize the rules that the service bank and the interface provider must comply with under the following subheadings during the performance of service model banking services. These rules are essential for a smooth (frictionless) user experience (UX) and critical for brand positioning before the consumers.

  • Emphasizing that the Interface Provider is Not a Bank: In the contract to be concluded between an interface provider and a customer, it should be stressed that the interface provider is not a bank holding an operating license, or a payment service provider in cases where it has not obtained the necessary operating permits, or any other financial institution that is subject to an operating license.
  • Emphasizing that Services are Provided by the Service Bank: In the contract to be concluded between the interface provider and a customer, the followings should be explicitly stated; that banking services are provided by the service bank; the services offered by the service bank, and the responsibilities of the service bank; contractual provisions that are in effect between the service bank and the customer; and the website of the service bank that contains other terms and conditions of using the service bank services; and the web page address of the customer services offered by the service bank and the call center telephone number so that the customers can forward their requests and complaints to the service bank.
  • Provision of Contract Samples by the Interface Provider: A copy of the uniform contract executed between the interface provider and the customer and a copy of the uniform contract executed between the service bank and the customer should be displayed on the home page of the interface provider's website.
  • Indication of the Service Banks from which Service is Received: The logo and name of the service bank(s) from which the service is received must be included to appear on the home page of the interface provider's website.
  • Brand Use in Case of Card Issuance: In case the service bank issues a card payment instrument for the interface provider, the bank's name and logo must be prominently displayed on the said payment instrument.
  • Processing Limit for Confidential Data: Any confidential data transferred to the interface provider in line with the customer's request must be processed within certain limits laid down in the Regulation. Accordingly, the use of such data by the interface provider for profiling or other marketing or CRM purposes is prohibited as a rule.
  • Keeping Confidential Data Domestically: The interface provider or the parties from which the interface provider receives service must keep the systems and data backups in the country where the confidential data processed during the service model banking is presented.
  • Cases where the Interface Provider Obtains Cloud Computing Service: In case an interface provider receives cloud computing service within the scope of the system and data backups where confidential data is processed, the external service must be obtained through the private cloud service model (i.e., over the hardware and software resources allocated to the interface provider) or the community cloud service model where the mentioned services are only physically shared and hardware and software resources allocated only to the organizations subject to the supervision and control of the BRSA are physically shared yet a specifically dedicated resource is assigned to each institution logically, provided that it is permitted by the BRSA.
  • Authority of the Service Bank to Conduct Audits at the Interface Provider: It is necessary to enable the service bank to conduct audits at the interface provider and examine the relevant information, documentation, and records in order to ensure that the deals performed by the interface provider comply with the authentication and transaction security criteria laid down in the Regulation on Information Systems.
  • Termination of the Contract between the Interface Provider and Service Bank: It must be possible for a service bank to terminate a contract held between the service bank and an interface provider immediately before its date of expiration in the event that it is determined that the information systems and service channels used by the Interface provider in processing confidential data fail to meet the obligations under the Regulation on Information Systems, or in case the permission given by the BRSA to the interface provider to serve the service bank as a support service institution is revoked.
  • No Transfer of Services: The services provided by an interface provider to a service bank and the services received from a service bank are not transferable.

The Ability of Banks to Offer BaaS Without Expanding their Operation License

The Regulation stipulates that banks have the right to offer the BaaS services to interface providers as per their current operating licenses. In other words, banks are not required to obtain an additional license in order to be able to provide BaaS Services.

However, a service bank is obliged to provide information about the scope of the services it provides on the website, together with a list of all interface developers and providers it serves and the banking services it provides, and to send to the BRSA in writing a copy of every service contract it has signed with interface developers and providers, and a copy of each contract change that envisages a change in the scope of the services it will provide to the interface provider, within one week following the signature date.

An Interface Provider Working with Several Service Banks

According to the Regulation, an interface provider has the right to work with several service banks. However, the ability of an interface provider to work with several service banks is subject to the permission of the Board.

In addition, it is stipulated that the permission to be granted by the Board in this context will not abolish the obligations of interface providers under other applicable legislation, including the obligation to obtain a license for the service of Supplying Account Information and Initiating Payment Orders, which are defined as payment services in the Law numbered 6493.

Despite this provision, our opinion is unclear, whether an interface provider would benefit from the service of AIS and/or PIS services offered by a single service bank.

Conclusions

The the transitivity of the banking sector with other sectors in Turkey will increase in the upcoming years thanks to the BaaS introduced by the BRSA.

Thanks to this transitivity, the banks will be able to expand their customer portfolio. At the same time, e-commerce, retail, aviation, telecom, and other entities that can act as an interface provider will have the chance to serve with the muscles of a bank without annoying customer experience to increase customer loyalty in sectors that can reach their users over the internet.

In this regard, banking services will become more liberal, and the channels where banks contact their customers will increase and vary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.