COVID-19 Outbreak: Turkey's Open Banking Journey Gaining Traction - Financial Services

Introduction

Over the last few years, the financial market has been rapidly changing and transforming. One of the most important digital transformations of the 21st century was the concept of open banking.

The concept of open banking was first introduced in the United Kingdom in 2016 and then starting a new era of transformation in digital financial services quickly.

The Banking Regulatory and Supervisory Authority ("BRSA") laid down the legal infrastructure of open banking with the Regulation on Banks' Information Systems and Electronic Banking Services ("Regulation") issued on March 15, 2020. The Regulation will enter into force on July 1, 2020.

Turkish banks, which are among the leading banks in digital banking services, can utilize open banking to carry out many activities to provide an unprecedented user experience.

With the COVID-19, the need for digital banking services has drastically increased; so has the Turkish people's familiarity with them; paving the way for a faster development of open banking in Turkey.

In this article, we are focusing on what open banking entails to and Turkey's journey in setting out the legal infrastructure therefor.

What is Open Banking?

Open banking is a model in which customers' financial data stored in banks can be accessed by third parties, i.e. third party service providers (third party provider - TPP), with the permission of the customers. In other words, through the open banking model, financial data belonging to clients is no longer under a monopoly of banks and is accessible to financial technology companies (fintechs) through a common platform upon the client's request.

In the open banking model, all financial data, including but not limited to monthly credit card spending and saving habits are shared with financial technology companies and banks for data analysis.

Financial data can be easily shared among all financial institutions through application programming interfaces (API). The API concept is a uniform set of rules that allow software/applications to share data with each other.

What does Open Banking Offer?

Banks and fintech companies can analyze data like clients spending and investment habits and their current financial capacity with the data accessed via API. These analyses can be shared with the clients to consider the most appropriate strategies, products, and offers for their particular needs. For instance, open banking can evaluate a client's expenses on a regular basis over several years and provide client-specific discounts or offer client-specific deals in response to the client's current spending habits. Clients would also have the opportunity to compare and find the most suitable products for their investments.

The open banking model establish a foundation for both banks and fintech companies allowing them to implement custom products and interfaces according to clients' needs and design their systems so that clients' can access all of their accounts and financial data from a single interface. In other words, clients will be able to manage all of their banking transactions or investments through a single application or website.

Thanks to the open banking model, many clients will probably abandon their prior habits to use different banking applications or websites for their banking transactions and begin to use a single application or website developed by a third party service provider or a bank for all of their transactions.

Turkey and Open Banking

The BRSA introduced the first draft of the open banking regulation for public consultation at the end of 2018. On November 22, 2019, the Turkish Grand National Assembly codified open banking by introducing the Amendments to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the "Law") made open banking a reality.

The BRSA issued the first secondary regulation on open banking systems in March 2020 with the Regulation. Turkey continues to work on the codification process in line with the Second Payment Services Directive 2 (PSD2) of the European Union.

The Law defined payment initiation service providers (PISP) and account information service providers (AISP), which are open banking concepts, and established a legal background for these services. In order to provide these services under the Law, service providers must obtain an operating permit from the Central Bank of the Republic of Turkey ("CBRT").

In addition, the Regulation defined open banking for the first time.

A general framework for open banking is now regulated by the Law and Regulation; however, important details on open banking services will be shaped by future secondary regulations. One of the most important topics is whether banks will be forced to share financial data with third-party providers, such as financial technology companies.

When the Law and the Regulation are interpreted together, we expect the BRSA to regulate and supervise the secondary regulations regarding open banking to the extent that they relate to the banks and the Central Bank to regulate and supervise same to the extent they relate to the payment institutions.

Open Banking and Data Privacy

Besides banking regulations, personal data protection regulations is one of the legal areas most pertinent to open banking. Making client data available to actors other than banks is the foundational basis of open banking practices. The main novelty in open banking is in contrast to current banking practice sharing a client's information that is created or collected during the provision of the banking services with third parties, such as AISPs and PISPs, to enable them to provide their services. Banks are already subject to detailed obligations regarding the protection, processing and sharing of the client data according to banking regulations and client personal data according to personal data protection regulations. The most important subject for open banking is doubtlessly the restrictions and limitations on sharing this data with third parties.

At first glance, one might think that client data can be shared based on the client's consent and that the subsequent data processing for open banking services may be conducted based on the same consent. However, the practical implementation of open banking applications requires a deeper look and answering difficult questions, such as:

How do we establish the client instruction process necessary for client data per the banking regulations and the explicit consent process necessary for the personal data (a single or a separate instruction and consent process)?
Who will comply with these obligations (banks, AISPs, PISPs, TPPs)?
How should the instruction/consent records be kept and who will have access to the records?
How will the client/data subject exercise their right to withdraw their instruction/consent?
Which of the involved parties will be responsible for the accuracy of the data?
How can the involved parties share the liability for potentially malicious actors in the system?

In spite of these uncertainties, considering the potential benefits of the open banking applications, it is clear that the involved parties must find a balance between the need for data privacy as part of clients' fundamental rights and freedoms and the need for the free flow of data for economic, social and technological developments. The most effective approach to attaining this balance might be a coordinated effort from regulatory public authorities, such as the Personal Data Protection Authority and the BRSA, and the private entities that comprise or will comprise the sector. It is possible to argue that no one alone would be able to reach a solution and experts and expertise from different areas must work together.

Conclusion

We believe that open banking will radically change customers' banking transactions habits and will be the first step in starting a new era of financial services spearheaded by banks and fintech companies.

You can access our client alert regarding the open banking legislation in Turkey at "Turkish PSD2: Open Banking Reform, Enacted! / Marketplaces may need payment services license" and "New Regulation on Bank IT Systems and Electronic Banking Services".

Originally published 22/05/2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.