When Bill Gates, founder of Microsoft said, "Banking is necessary, banks are not," in 1994, many didn't understand his logic. However, in today's world, for many people, it is unusual to go to a bank for banking transactions. FinTech companies, which bring together financial services and products with technology, created a new reality in the financial services sector. With the wide use of the internet, it has become routine to use digital channels such as internet and mobile banking for transactions like bill payments, money transfers and for tracking accounts.
The COVID-19 pandemic has proved that rather than being a conspiracy, it has become vital to access financial products and services without leaving our homes or even touching physical notes. As the life-altering situation accelerates the digital transition process, a new service infrastructure beyond internet and mobile banking, which only allows for access to the infrastructure of a specific bank, has become crucial to meet customer needs.
Open banking, which carries internet and mobile banking one step further by allowing customers to view and manage their financial data in multiple banks on one screen, was already on the agenda of financial regulators in many countries in past years. COVID-19 demonstrates that open banking deserves to be more than "an issue on the agenda."
Open Banking Regulations in Turkey Vis-à-Vis PSD2
Turkey developed a legal infrastructure for the digital world of banking and payment services with the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions number 6493, dated 27 June 2013 ("the Law"), as well as with secondary legislation. All the new legislation was largely inspired by the EU Payment Services Directive 1 number 2007/64 ("PSD1").
The Law was amended in line with evolving financial services on 12 November 2019, effective from 1 January 2020. One of the major amendments is the introduction of new payment services which brought about an initiative for open banking. This was the first step toward establishing a legislative basis for open banking in Turkey.
The legislative framework of open banking is very similar to the EU Payment Services Directive 2 number 2015/2366 ("PSD2"), which is known to be the dawn of open banking in Europe, as well as in the rest of the world. To that end, sub-paragraphs (f) and (g) were added to the first paragraph of Article 12 of the Law, which regulates the types of payment services. In wording almost identical to that of PSD2, the Law defines "payment initiation service" as, "a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider," and "account information service" as, "an online service to provide consolidated information on one or more payment accounts of the payment service user held by payment service providers upon the approval of the payment service user".
With recent amendments, the Law designates the institutions which will provide payment initiation or account information services as payment service providers, imposing on them the obligation to comply with the related provisions. However, it will not be necessary to comply with the requirement to issue shares against cash and in the name of the holder, and the minimum capital requirements will not be required for those who will only provide account information services. Within the scope of recent amendments, the Central Bank of the Republic of Turkey ("Central Bank") will be authorized to adopt regulations regarding this issue.
Furthermore, the Regulation on Information Systems of Banks and Electronic Banking Services ("the Regulation") dated 15 March 2020, which will enter into force by 1 July 2020 and which determines principles and procedures regarding electronic banking services and information systems of banks, accepts open banking services as electronic banking services, and defines them as, "an electronic distribution channel where customers or parties acting on behalf of customers can remotely access and complete banking transactions or give orders to the bank to complete transactions by accessing financial services offered by the bank through API, web services and file transfer protocols." Rules similar to the Regulatory Technical Standards related to PSD2 on strong customer authentication, security measures for transactions, monitoring transactions regarding the risk of fraud and informing customers concerning electronic banking services will also be applicable to open banking services in Turkey. However, there is a slight difference from PSD2: since the Regulation brings obligations for banks only, the obligations of open banking service providers are not yet defined. We expect the secondary regulations to be adopted by the Central Bank will close this gap. The secondary regulations regarding open banking should be introduced by 12 November 2020, in other words, within one year following the introduction of the amendments to the Law. As determining the standardization of open banking by the Central Bank was emphasized in the Parliament commission negotiations regarding the Law, the standardization of API and similar interfaces is expected to be included in the relevant secondary regulations.
Another significant innovation brought by the Regulation is "remote authentication," which will possibly further pave the way for open banking services, enabling banks to remotely authenticate the identity of new customers or to receive services from another bank that has previously identified such a customer through open banking services. By means of remote authentication, banking transactions in Turkey, which have advanced considerably in providing remote financial services to existing customers in recent years, will advance to the next level and expand the scope of open banking transactions, as banks will be able to establish contractual relationships remotely in client onboarding processes.
It has not yet been determined whether banks will be required to share data with service providers or not. However, unlike the first version of PSD2, current legislation in Turkey does define technical standards and draws up the technological framework for banks that will provide open banking services, to some extent. As the authority to draft procedures and principles regarding data sharing in open banking is vested in the Central Bank by the Law, it is presumed that the Central Bank will determine when it will be mandatory for banks to share their data with other payment service providers in terms of open banking activities.
It is of key importance to draft the secondary regulations for open banking, by means of standardizing data sharing limits clearly and determining measures to ensure data security in order to meet the expectations of banks; setting easily-met provisions for financial technology companies to enter the system and supporting ease of use and data privacy for customers.
Conclusion: A New Beginning
Along with many other advantages, open banking seems to bring a new beginning to the nature of banking globally, as it promotes competition and innovation which increase the quality of services and products in the financial sector. However, regarding the current era of financial technology, if the measures that protect data are not strengthened in parallel with increased data sharing, this may cause negative experiences. Therefore, data sharing, a mandatory component of open banking, requires the establishment of a system for which the technical and legal infrastructure has been elaborated upon. Thus, it is clear that open banking will advance the financial services sector if the service providers and banks apply permanent and solid measures to provide data protection in order to increase customer trust in data sharing.
It is beyond doubt that adaptation will be much faster in countries with financial sector players that are advanced in technology and innovation. Following the current period in Turkey, the Central Bank will enact regulations and encourage the development of open banking by incorporating actors that will shape the sector.
1. Directive (EU) 2007/64/EC: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32007L0064&from=EN
2. Directive (EU) 2015/2366: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
3. Commission Delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication:
4. Further amendments may be required under Law No. 5549 on Prevention of Laundering Proceeds of Crime and related MASAK regulations before 1 July 2020, which is the effective date of the relevant regulation on electronic banking services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.