Turkey: Recent Amendments To The Communiqué On Information Systems Of Payment Institutions And Electronic Money Institutions
Monthly Updates - October 2023

The Communiqué on Information Systems of Payment Institutions and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (the "Communiqué"), which was published in the Official Gazette dated 1 December 2021 and numbered 31676 and entered into force on the same date, has been amended by the Communiqué Amending the Communiqué on Information Systems of Payment Institutions and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (the "Amending Communiqué") published in the Official Gazette dated 7 October 2023 and numbered. This Monthly Update aims to provide a brief explanation regarding the Amending Communiqué and highlights the essential novelties introduced therein.

Amendments to the Establishment of Audit Trails

Prior to the amendment, it was regulated that no transaction would be carried out in case the audit trail registration system stops. The Amending Communiqué retains this as the main rule, yet sets out the procedure to be followed in exceptional cases. Thus, the main principle is that if the audit trail registration system stops for any reason, no transactions should be carried out until it is restarted. If any transactions are carried out during this period, the audit trails of these transactions must be recorded in the audit trail recording system while maintaining the security and integrity of the system. It has been regulated that when the audit trail registration system stops and the transactions continue to take place, the burden of proof that the transactions were carried out in accordance with the Communiqué and the relevant legislation belongs to the Institution. In addition, if any party suffers damage due to the transactions carried out within such period the Institution is obliged to indemnify the parties for the damage incurred.

Additionally, the information regarding the application where the access or transaction took place, communication network protocol, time and source destination port and IP have been added to the minimum requirements that should be included in the records to be kept in the audit trail registration system.

Novelties on Information Systems, Outsourcing Processes and Data Security

As per the Amending Communiqué provision setting out the minimum elements to be included in an outsourcing contract will be applied to the extent compatible with the nature of the service procurement (i) that do not have the potential to affect the confidentiality, integrity and accessibility of the data and the continuity of the services provided by the Institution, (ii) that do not result in the sharing of sensitive customer data and customer information with the external service provider, (iii) that are not designed and provided specifically for the Institution.

Another prominent issue introduced by the Amending Communiqué is that the products and services to be procured within the scope of critical information systems and security must be produced in Turkey or the R&D centers of their manufacturers must be located in Turkey. Such producers and manufecturers are obliged to have response teams in Turkey. Accordingly, the Central Bank of the Republic of Turkey (the "CBRT") is authorized to determine additional conditions regarding the security products and the other information technology elements to be used by the Institutions.

Pursuant to the Amending Communiqué, if Institution or service provider is located abroad, the Institution can transfer the required data with third parties abroad provided that such transfer is necessary for the execution of the payment transaction and in accordance with the principle of proportionality. In this case, the Institution is obliged to store the data domestically and to comply with the Personal Data Protection Law numbered 6698. In addition to all these conditions, the CBRT may suspend or impose additional restrictions on transfers if it assesses that the development of the payments area will be adversely affected.

Amendments Regarding the Remote Communication Systems

Within the scope of the Amending Communiqué, if the contractual relationship process occurs through remote communication, the Institution is required to use internet-based methods that will allow remote identification and verification of the person to be identified. According to the Amending Communiqué, the obligations to be fulfilled by Institution are as follows: (i) obtaining the information and documents required for identification; (ii) checking the accuracy of the information and documents provided through near field communication, and if this is not possible, ensuring the control by one of the means determined by the CBRT, confirming their authenticity and recording them; (iii) obtaining the approval and explicit consent of the person regarding the use of biometric data and the execution of the contract process by means of remote communication; (iv) verifying that the photograph and information of the person to be identified match; and (v) performing device and environment control.

Aforementioned processes need to be carried out in real time and without interruption, through secure peer to peer communication with high quality video and audio. If there is any doubt regarding the authenticity of the documents, the process should be terminated by the Institution. If these conditions are not met, a contract cannot be established through online real-time video, online real-time moving photographs or video calls. All responsibilities arising from the contracts belong to the Institution.

Periods for the Institutions to Fulfill Their Obligations

Pursuant to the Amending Communiqué, payment service providers that do not provide direct online access to their customers are required to fulfill their obligations regarding the data sharing service until 31 December 2025. It has been regulated that the provision of non-standard services by payment service providers holding payment accounts will not be considered as a violation until 30 June 2024.

Moreover, the Institutions that have applied to the CBRT for an operating license and are still in the process of evaluating for operating licenses, as well as Institutions that meet the qualifications specified in the Amending Communiqué and have obtained permission from the CBRT to provide payment services, can also provide services using non-standard services until 30 June 2024. This term can be extended by the CBRT for a maximum of six months.

Additionally, the Institutions that have been granted a limited operating license for the provision of payment services in the form of money transfers shall be obliged to comply with the limitations on information systems of the Amending Communiqué until 30 June 2024, provided that they continue to comply with the prerequisites set forth by the Banking Regulation and Supervision Agency when granting the operating license. The CBRT is authorized to extend this period two times, each time not exceeding six months.

Conclusion

The Amending Communiqué has introduced substantial novelties regarding the outsourcing process for information systems and data transfers, as well as process of identification and the establishment of the contractual relationship to be carried out through remote communication methods. The limits that Institutions must comply with while transferring data abroad have been more explicitly determined. Eventually, new obligations have been imposed on the Institutions within the scope of the Amending Communiqué.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.