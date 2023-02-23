ARTICLE

To print this article, all you need is to be registered or login on Mondaq.com.

1. Introduction

Cloud services are widely used by technology and FinTech companies. Accordingly, data transfer and payment services are regulated with specific legislation in Turkey. Recently, with the Guidelines for External Service Providers Offering Community Cloud Services ("Guideline") that the Central Bank of the Republic of Turkey ("CBRT" or "Bank") has published, the requirements on external service providers wishing to offer services through the community cloud service model have been regulated. FinTech companies need to comply with these requirements within the given effective period of one year in order to continue providing their services. This article will give insights into the legal framework surrounding cloud services in general, especially community cloud services, and bring criticism to the recently published Guideline.

2. FinTech Regulations and Community Cloud

a. What is "Community Cloud"? Cloud computing models where cloud computing services are offered are classified as private cloud, community cloud, public cloud and hybrid cloud. 1 This article will focus on the regulations regarding community clouds which are defined as cloud systems where the IT resources - which could be on the users' site or outsourced - are shared between a closed community.2 A multi-agency cloud service provided exclusively to government bodies can be given as an example of a community cloud. 3 b. Legal Framework on FinTech The Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services ("Communiqué") has been published in the Official Gazette dated 1 December 2021 and numbered 31676, based on the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers ("Regulation") and the Law No. 6493 on Securities Settlement Systems, Payment Services and Electronic Money Institutions ("Law"). Article 16 of the Communiqué stipulates that external service providers may provide external services through a community cloud service model in which hardware and software resources are allocated only to payment service providers or other credit/financial institutions activities of which relating to information systems are regulated and supervised by a competent authority within the framework of the relevant legislation are physically shared but logically assigned a separate resource specific to each payment service provider. Paragraph 7 of Article 16 of the Communiqué reads as follows: "(7) ...If offered by external service providers deemed appropriate by the Bank, the institution may receive external services through the community cloud service model where hardware and software resources are allocated only to payment service providers, financial institutions or other credit institutions activities of which relating to information systems are regulated and supervised by a competent authority within the framework of the relevant legislation are physically shared but logically assigned a separate resource specific to each payment service provider..." With Paragraph 7 of Article 16 of the Communiqué, it is regulated that organizations can outsource services through the community cloud service model if this service is provided by the external service providers approved by the CBRT. This paragraph also gives authority to the CBRT to determine the eligibility of external service providers that can offer external services through the community cloud service model.

3. The Guideline

Pursuant to its authority, the CBRT published the Guideline in July 2022. It should be noted that due to the eligibility requirements set out in the Guideline, external service providers who do not comply with these requirements but still wish to offer services through the community cloud service model will no longer be able to continue their activities, even if they are already offering these services under the Law and the Communiqué.

The Guideline has an important place in the legislation scheme surrounding community clouds, since it is the most recent regulatory document on the subject and aims to answer upto-date issues.

The Guideline assesses different business models in the online payment services industry, specifying which of these models must be regarded as "payment services" within the meaning of Article 12(1) of the Law, and specify which aspects of the Law require the CBRT permission. It also provides assistance in understanding the provisions of the Law for which the CBRT approval is required for business models involving various payment operations such as money transfer, digital wallet, mobile payment intermediary, and virtual POS.

Every kind of transaction required to operate a payment account, including services that enable the customer to deposit cash to or withdraw cash from a payment account are considered within the scope of the Guideline.

Additionally, issuing or acquiring payment instruments, money remittance, intermediation of invoice payments, issuance of electronic money and displaying the combined information regarding a single or more payment accounts kept by payment service providers on internet platforms are also considered as "payment services" under the Guideline.

The Guideline, includes explanations such as eligibility requirements of external service providers wishing to offer services through the community cloud service model, steps to be taken for an application of eligibility, how the eligibility assessment is conducted, and how the compliance level is monitored.

Under section A titled Eligibility Requirements paragraphs 1.a and 1.b of the Guideline, external service providers wishing to offer services through the community cloud service model must meet the following eligibility requirements:

"Providing at least one of the conditions that it;

1.a. is a private law legal entity in which they are the main shareholder,

b. it operates within an association established by law,

..."

Pursuant to condition 1.a., it is evaluated that the eligibility requirement be revised in line with the Communiqué, and that the main shareholders of credit institutions and financial institutions should also be able to provide community cloud services. Additionally, it is necessary to clarify what is meant by "association" in 1.b., which is a concept that is not defined in the Communiqué.

Under section A, paragraph 4a, b and c of the Guideline other requirements are set forth that the external service providers wishing to offer services through the community cloud service model must follow. These paragraphs read as follows:

"...4. Have the following certificates that are still valid:

a. A Tier 3 or Tier 4 data centre infrastructure certificate for the primary centre; if the secondary centre does not have a Tier 3 or Tier 4 data centre infrastructure certificate, has met the requirements to meet these certificates,

b. ISO/IEC 27001 or TS ISO/IEC 27001 Information Security Management System certificate,

c. ISO 22301 or TS EN ISO 22301 Business Continuity Management Systems certificate..."

With these paragraphs, the importance given to the availability of certifications and systems, which are also included in the European Union's Code of Conduct for Data Protection Cloud Service Providers and the Cyber Security Law regulations adopted in 2019, is expressed within the scope of this Guideline.

Section B of the Guideline provides rules on steps of applying for eligibility before the CBRT. According to these provisions, an external service provider wishing to provide services to organizations through the community cloud service model shall apply in writing to the CBRT with the information and documents specified in the Guideline, pursuant to the seventh paragraph of Article 16 of the Communiqué.,

It is stipulated that the CBRT shall not consider the application if the required information and documents are not complete and will notify the external service provider in writing and give a reasonable period of time – not exceeding 30 (thirty) days – to complete the documents.

In Section C of the Guideline, rules for assessing eligibility are provided. The CBRT may request additional information and documents from the service provider during the evaluation process and shall notify the applicant service provider in writing after completing its evaluation.

It is important to note that the Provisional Article 1 of the Communiqué states that the institutions operating as of the date of entry into force of the Communiqué are obliged to comply with the provisions introduced by this Communiqué within one year following the date of publication of the Communiqué.

Organizations operating as of the date of entry into force of the Communiqué are given a transition period of one year from the date of publication of the Communiqué in order to comply with the provisions introduced by the Communiqué. Even though this transition period is brought for the organizations, it is evaluated that external service providers providing community cloud services other than organizations must also be able to benefit from this oneyear transition period.

Additionally, considering that the effective period set by the Communiqué is one year, the requirements to be introduced by the Guideline should also be harmonized within the same oneyear period. Since the Guideline was published in July 2022 and contains new requirements not specified in the Communiqué, external service providers that will offer community cloud services have less than one year to comply with the Communiqué.

4. Conclusion

Recently, the CBRT published the Guideline which brings additional eligibility requirements for the external service providers wishing to offer services through the community cloud service model.

It is evaluated that the Guideline may only introduce technical qualifications on issues that can be determined by the Guideline and that such which do not narrow the rules set out in the Communiqué, and a transition period of one year should be granted for compliance with these technical qualifications, again in parallel with the Communiqué.

Considering that the Guideline was published in July 2022 (the date has not been announced), external service providers offering relevant community cloud services should be given until July 2023 to fulfil the technical qualifications.

While the CBRT's authority to regulate is undisputed within the scope of the Communiqué, it must be pointed out that guidelines are structures that do not exist in the hierarchy of norms. The guidelines are published to support and guide activities to be carried out in accordance with the secondary legislation and to explain and elaborate the rules set out in the Constitution, the Law and the secondary regulations only to the extent of clarification and applicability.

Thus, it is evaluated that the Guideline should not restrict an activity that can be carried out by external service providers within the scope of the Communique in a legal manner.

Bibliography

Çark Ö and Akyürek S, 'Bulut Bilişim Teknolojisinin İşletmeler Açısından Önemi ve Turizm Sektörü Açısından Değerlendirilmesi' (2021) 5 EUJMR 8 72 date accessed 17 January 2023

European Commission 'Commission Staff Working Document: Unleashing the Potential of Cloud Computing in Europe' (2012) 529 date accessed 17 January 2023

Guidelines for External Service Providers Offering Community Cloud Services date accessed 30 January 2023

Law No. 6493 on Securities Settlement Systems, Payment Services and Electronic Money Institutions date accessed 30 January 2023

Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers date accessed 30 January 2023

The Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services date accessed 30 January 2023

Footnotes

1 Özgür Çark ve Salim Akyürek, 'Bulut Bilişim Teknolojisinin İşletmeler Açısından Önemi ve Turizm Sektörü Açısından Değerlendirilmesi' (2021) 5 EUJMR 8 72 https://dergipark.org.tr/en/download/article-file/1663450 date accessed 17 January 2023

2 European Commission 'Commission Staff Working Document: Unleashing the Potential of Cloud Computing in Europe' (2012) 529 https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:52012SC0271&from=PL date accessed 17 January 2023

3 Ibid.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.