1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
Fintech institutions are subject to different regulations based on their activities (eg card/cardless payment processing; e-wallets; e-money). The applicable legislation may be categorised as follows:
- The payment regulations include Law 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (‘Payment Law');
- The credit and bank card regulations include Law 5464 on Bank Cards and Credit Cards (‘Credit Card Law);
- The know-your-customer (KYC)/anti-money laundering (AML) regulations include Law 5549 on the Prevention of Laundering Proceeds of Crime; and
- The banking regulations include Banking Law 5411 and the Regulation on Support Services Procured by Banks.
1.2 Do any special regimes apply to specific areas of the fintech space?
Yes. The fintech regulations are harmonised with EU regulations (eg, the Payment Law is the equivalent of the First Payment Services Directive, although it has yet to be aligned with the Second Payment Services Directive). Regulated payment activities are subject to different regulatory regimes, as follows:
- payment services (eg, facilitating payment transactions, money remittance, invoice payments, payment initiation services, account information services);
- issuance of e-money;
- operation of payment and securities settlement systems;
- issuance of credit and banking cards; and
- provision of payment devices (eg, point of sale terminals).
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The main regulatory body that supervises the payment ecosystem is the Central Bank of the Turkish Republic.
For some specific services, different bodies also fulfil certain regulatory duties, such as the following:
- The Revenue Administration regulates part of the payment device ecosystem; and
- The Financial Crimes Investigation Board regulates the KYC/AML requirements applicable to financial institutions.
Many fintech activities (particularly those involving the actual handling of money) require a licence, which is issued by the relevant regulatory body. Being licensed generally subjects an entity to the supervision and auditing of the licensing regulatory body. Also, most regulatory bodies have the power to request information and documentation and to conduct on-site examinations.
1.4 What is the regulators' general approach to fintech?
Fintech is a growing sector in Turkey and the regulators have acknowledged this fact. They are mostly open and welcoming of new business and service models, as long as service providers comply with the law and the regulators can deploy their regulatory powers where necessary.
The most important point of consideration for regulators is localisation. The nationalisation of the Turkish economy is of great importance for state bodies, due to both financial and national security concerns. System and data localisation and a local presence are prerequisites for most financial institutions to obtain a licence. Thus, if the fintech solution to be offered in Turkey requires a licence, a local operation in Turkey is needed.
1.5 Are there any trade associations for the fintech sector?
The Payment and Electronic Money Institutions Association is the most influential fintech association active in the industry.
Its founding chairman, Burhan Eliaçýk, has described the association and its aims as follows:
The only association representing FinTechs in Turkey, was founded by leading payment and electronic money institutions in 2015 and strives to build a FinTech ecosystem, and relationships with the government, public bodies, business associations, media and consumer groups.
The association aims to improve the payment and electronic money systems offered in Turkey and make the country an exporter of technology and knowledge in the FinTech world while trying to ensure close cooperation and solidarity between members and sectors.
The Payment Law also envisages the establishment of a new body – the Union of Payment and Electronic Money Institutions of Turkey – as a professional organisation with public institution status. Licensed payment and e-money institutions are obliged to become a member of the union within one month of receiving their licence. As of February 2020, the union is still being established.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
The following sub-sectors all have established players in Turkey:
- payment processing;
- money remittance and transfers;
- bill payments;
- accounting and personal finance; and
- cryptocurrency exchanges.
Other fintech services – such as challenger banks, peer-to-peer lending, crowdfunding and insurtech – are not as developed, due to strict or non-existent regulations.
2.2 What products and services are offered?
The most common fintech practices are payment processing (eg, e-point of sale, money remittance, invoice payment), e-money issuance and e-wallet applications.
A map of the Turkish fintech ecosystem can be found at http://fintechtime.com/wp-content/uploads/2019/06/fintechtime_turkish_fintech_ecosystem_v6.01.jpg.
2.3 How are fintech players generally structured?
Where a licence is required to offer a certain service in Turkey (eg, payment or e-money services as defined under the Payment Law), fintech service providers must establish a company in Turkey which meets certain financial and organisational criteria. However, if no licence is required, the service can generally be offered from abroad without having a physical or legal presence in Turkey.
2.4 How are they generally financed?
Turkish fintech players primarily fall within three categories:
- ventures established by banks or holding companies; and
- local subsidiaries established by global fintech companies.
Aside from the regular payments received from customers in return for services provided, such companies are mostly financed by venture capital funds and funds received from their parent companies.
2.5 How are they positioned within the broader financial services landscape?
The Turkish financial services sector is still dominated by traditional banks. However, due to their innovative solutions and – for payment facilitators – lower commission charges, fintech companies are becoming increasingly attractive to both consumers and small and medium-sized enterprises.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Start-ups in Turkey generally outsource some of their back office functions and access to such services is easily available. Some specific provisions apply to licensed payment and e-money institutions with regard to the outsourcing of information systems. The Communiqué on Management and Auditing of Information Systems of Payment and Electronic Money Institutions of 27 July 2014 requires the inclusion of certain mandatory content in outsourcing agreements regarding information services – for example, provisions on service levels, a continuity plan and access to information and documents of the service provider. The communiqué further restricts licensed payment service providers from procuring public cloud services to store information relating to payment services.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
E-commerce is regulated under Law 6563 on Regulation of Electronic Commerce and other relevant secondary legislation enacted in accordance with the law.
Law 6563 imposes certain additional obligations on service suppliers and intermediary service providers (online marketplaces which provide their services electronically, specific to e-commerce). These include the following:
- disclosure of mandatory information before the customer enters into the contract;
- certain procedural steps for the finalisation of orders;
- rules on commercial communications and posts; and
- security and data privacy compliance requirements.
The Communiqué on Safety Stamps in E-commerce also regulates the procedures and principles for using safety stamps in e-commerce. Accordingly, e-commerce service providers and intermediary service providers can use a safety stamp to guarantee trust and safety for customers. These providers should also comply with the minimum standards of safety and service quality.
In light of the above, e-commerce service providers and intermediary service providers may demand compliance with the relevant regulations and assistance to this end from the fintech players from which they procure services.
(b) Mobile (m-commerce)
There is no specific legislation on mobile commerce; the e-commerce legislation also applies to m-commerce.
(c) Big data (mining)
There is no specific legislation on big data (mining) technology. Nevertheless, Law 6698 on Protection of Personal Data applies with regard to the consent of data subjects to the collection and processing of their personal data.
(d) Cloud computing
Although there is no dedicated legislation applicable to cloud computing, certain industries and sectors are bound by data localisation requirements. The financial sector is one of them and accordingly, all information systems of banks, payment entities and payment system and security settlement operators should be located in Turkey.
(e) Artificial intelligence
There is no specific legislation applicable to artificial intelligence technology in Turkey. Nevertheless, Law 6698 on Protection of Personal Data provides that the consent of data subjects must be obtained to collect and process their personal data.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
There is no specific legislation on distributed ledger technology. Nevertheless, certain administrative acts and policies are worth mentioning. First, Turkey's Central Bank does not consider cryptocurrencies to constitute electronic money. The Capital Markets Board has also declared that cryptocurrencies cannot be deemed as capital markets instruments.
The Financial Crimes Investigation Board's Guidelines for Suspicious Transactions had initially identified any "money transfer to intermediary entities that are selling bitcoin from customer accounts, for bitcoin purchasing" as a type of suspicious transaction. The board subsequently amended this guidelines, describing "money transfers to domestic or foreign crypto currency exchange markets or natural or legal persons for the purposes of purchasing crypto currencies, which are not suitable with the respective [bank] customer's profile in terms of frequency and volume" and "incoming money transfers to [bank] customer accounts, either whose sender is unknown or reason is crypto currency sale" as examples of suspicious transactions.
The President's Annual Programme for 2019 and the Ministries of Treasury and Finance and Commerce have promoted initial coin offerings and blockchain technologies as modern financing methods, and the Capital Markets Board has been authorised to this end.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Crowdfunding is a newly regulated field in Turkish law. It is mainly regulated under Law 6362 on Capital Markets and the Communiqué on Equity-Based Crowdfunding of 3 October 2019.
As per the communiqué, both companies and projects which meet the criteria set forth in the communiqué may be funded through crowdfunding platforms, by providing company shares to prospective investors. For companies, the criteria are as follows:
- engagement in technology and/or production activities;
- incorporation as a joint stock company;
- incorporation within five years of the crowdfunding announcement;
- provision and regular monitoring, maintenance and control of a company website;
- compliance with certain requirements in terms of company revenues; and
- the status of a private company that is not controlled by another legal person.
For projects, the criteria are as follows:
- subject matter which relates to technology and/or production activities; and
- the potential for incorporation as a joint stock company.
In addition, in both cases crowdfunding platforms must be provided with certain information forms and subscription agreements must be concluded so that the company or project can be accepted by the platform.
Fintech projects and companies may thus be funded through equity-based crowdfunding where they fulfil the conditions set forth above. However, as the regulation is very new, no such crowdfunding platforms have yet been established and no equity-based crowdfunding activities have as yet taken place.
Until very recently, lending-based crowdfunding on the Turkish market was strictly forbidden, as under the banking legislation it is not possible for someone to provide money in return for consideration such as interest without authorisation from the relevant authorities. In this regard, peer-to-peer lending was not permitted. However, with the enactment and announcement of Law 7222 on 25 February 2020, peer-to-peer lending via crowdfunding platforms has been recognised under Turkish law for the first time. Lending-based crowdfunding activities may now be carried out by way of peer-to-peer lending and the banking legislation will not apply to such activities.
Given that lending-based crowdfunding has only just been recognised under Turkish law, there is a need for secondary legislation in order to clarify the application of the new legislation.
Other forms of crowdfunding (ie, reward-based or donation-based) are not regulated under Turkish law.
As it is not prohibited, reward-based crowdfunding is currently taking place through certain platforms. However, the investors and companies funding the projects cannot be given company shares or monetary consideration, but only a reward with moral value or a discount on the purchase of the funded product. As a result, the volume of reward-based crowdfunding is not high.
Donation-based crowdfunding is a controversial issue under Turkish law, as it may contravene Law 2860 on Aid Collection and the relevant communiqués; thus, it is not very common.
(b) Online lending and other forms of alternative finance
Venture capital investment and angel investment are established alternative finance methods available in Turkey. In addition, as a result of the enactment of Law 7222 on 25 February 2020, the provision of project finance by project finance funds for long-term investment in capital-intensive sectors, such as technology and energy, has become another alternative finance method.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
As such marketplaces may provide services in a diverse manner, a diverse range of laws will apply to them. In this regard, in addition to the laws discussed in question 1.1, the following laws may be applicable:
- Law 6502 on Consumer Protection;
- Law 6563 on Electronic Commerce;
- Law 5809 on Electronic Communications;
- the Turkish Penal Code (Law 5237); and
- Law 5651 on the Regulation of Publications in the Internet Environment and Combating Crimes through these Publications.
As per the Communiqué on Principles Regarding Investment Services and Activities and Ancillary Services, institutions providing forex services and forex transactions must fulfil certain conditions – such as minimum capital requirements – and are subject to the authorisation and supervision of the Capital Markets Board of Turkey (CMB). In this regard, fintech companies that meet such conditions and wish to carry out forex activities by themselves on the Turkish markets must apply to the CMB for a licence.
As per the Capital Markets Law and relevant secondary legislation of the Istanbul Stock Exchange, trading companies must fulfil certain conditions and are subject to the authorisation and supervision of CMB. In this regard, fintech companies that meet such conditions and wish to carry out trading activities by themselves on the Turkish markets must apply to the CMB for a licence.
(f) Investment and asset management
There are no fintech-specific regulations applicable to investment and asset management under Turkish law.
(g) Risk management
There are no fintech-specific regulations applicable to risk management under Turkish law.
There are no specific regulations applicable to roboadvice companies under Turkish law. However, roboadvice companies may be subject to the relevant laws and may apply for authorisation to conduct activities if they intend to provide advice within regulated fields.
There are no specific regulations applicable to insurtech companies under Turkish law. In this regard, like ordinary insurance companies, insurtech companies are obliged to comply with the insurance legislation, including:
- Law 5684 on Insurance;
- Law 5510 on Social Security and General Health Insurance;
- Law 6305 on Natural Disaster Insurance; and
- Law 6502 on Consumer Protection.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
The main law regulating protection of personal data in Turkey is Law 6698 on Protection of Personal Data. This law is modelled on the now repealed EU Data Protection Directive (95/46/EC) and implements the European principles on data protection. The law includes no specific provisions on fintech companies or financial information, so its general provisions will apply. The main regulatory body for the protection of personal data in Turkey is the Personal Data Protection Board. The board is authorised to enforce the Law on Protection of Personal Data and issue sanctions in case of violations.
Foreign fintech service providers that process the personal data of persons residing in Turkey are also bound by the Law on Protection of Personal Data, even if they have no physical or legal presence in Turkey. For example, they must register with the Personal Data Protection Board as a data controller, and must submit a data breach notification to the board should a possible data breach affect the data of Turkish citizens which is processed by the foreign fintech company.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
Turkey does not have a specific catch-all cybersecurity regime in place, but certain IT systems-related obligations apply to financial service providers. The most relevant for fintech companies is the Communiqué on Management and Auditing of Information Systems of Payment and Electronic Money Institutions of 27 July 2014. The communiqué sets out certain cybersecurity-related technical and administrative requirements (eg, data and system localisation requirement; obligation to supervise the cybersecurity maturity of merchants; obligation to undergo independent IT auditing) for payment and e-money institutions licensed in Turkey.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
Turkey has extensive anti-money laundering (AML) and counter-terrorism finance laws – primarily, Law 5549 on the Prevention of Laundering Proceeds of Crime (‘AML Law'). The AML Law requires relevant institutions (including certain financial institutions) to take measures in order to prevent money laundering and terrorist financing. Such measures include:
- carrying out know-your-customer (KYC) procedures;
- notifying suspicious transactions to the authority;
- implementing a compliance programme; and
- appointing a compliance officer.
The main regulatory body that is authorised in this field is the Financial Crimes Investigation Board (FCIB), established under the Ministry of Treasury and Finance.
The most critical AML requirement for fintech companies is the KYC obligation. The KYC obligations under Turkish law requires the user and the financial service provider to be physically present face to face. In general, this does not suit the online business models adopted by many fintech companies. As a result, verification methods carried out online are not adequate, unless a ‘simplified KYC' option applies. Simplified KYC procedures are available for payment service institutions and e-money institutions. Accordingly, such licensed service providers are not required to conduct customer identification for issuing electronic money and payment services used only for the purpose of purchasing goods and services and not exceeding:
- cash withdrawals in the amount of TRY 300 within the same year;
- if there is no option to reload, TRY 750 for funds stored electronically; and
- if there is an option to reload, total reloading per month of TRY 750 and in all cases a balance of TRY 750.
If these amounts are exceeded or the e-money is used for purposes other than the purchase of goods and services (eg, money transfers), then identity information (ie, name, surname, date of birth, nationality, Turkish identity number and foreign identity number) must be verified through the identity-sharing system database of the Ministry of the Interior – General Directorate of Population and Citizenship Affairs. The e-money top-up must also be executed through a bank account or credit card whose credentials are compatible with those verified during the registration. In this way, no face-to-face KYC is necessary. In other cases, face-to-face identity verification with formal identity documentation will be necessary.
The FCIB has also unofficially announced that it has been working on a legal amendment that would allow for the utilisation of ‘video KYC' methods (eg, verifying identity via webcams or smart phones).
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
The Turkish Competition Board has recently adopted a proactive approach towards the banking and fintech sectors, in order to ensure a competitive landscape. For example, in its Decision 18-19/337-167 of 12 June 2018, the board annulled an exemption granted to the card storage service of Interbank Card Center (BKM). BKM is a joint stock company incorporated through a partnership of 13 public and private Turkish banks, to provide solutions to common problems and develop rules and standards for the use of credit and debit cards in Turkey, within the card payment system. The board found that the fact that non-bank payment entities cannot integrate with banks to a similar extent as BKM is restricting competition on the relevant market. The board also noted that BKM's BKM Express service, which had also benefited from an exemption, should be re-examined, on the grounds that competition failures in the card storage services market will also affect the digital wallet services market. On appeal, the Ankara 16th Administrative Court upheld the board's decision, confirming that BKM had a competition advantage compared to non-bank payment entities due to its easy integration with banks. On 17 May 2019 it therefore rejected BKM's request for an annulment. Unless the Regional Administrative Court or the High State Court reverses on further appeal, the board's decision not to allow BKM to offer card storage services will become final.
In its Decision 19-20/291-126 of 30 May 2019, the board also revoked the exemption for the BKM Express service – a digital wallet that facilitates easy payment without disclosing the customer's card information to the seller. The board's reasoning was predominantly based on BKM's:
- privileged integration with banks, as compared to its competitors;
- privileged system for customer identification cards;
- cross-subsidisation of the BKM Express wallet through revenues generated from other activities,
- excessive marketing and promotion expenses; and
- ability to access commercially sensitive information of competitors through its clearing and settlement service.
Also, through its Decision 17-28/462-201 of 7 September 2017, the board revoked the exemptions previously provided for bonus credit card programme agreements concluded between Garanti Bank and several other banks. The board found that a prohibition on the sub-licensing of bonus credit card programmes imposed on participating banks foreclosed payment entities in the market from acquiring new business.
Moreover, in a preliminary investigation concerning exclusive agreements between money remittance service providers and banks, the Turkish Competition Board ordered Western Union and MoneyGram to end such agreements based on foreclosure in the consumer-to-consumer international money remittance services market, through its Decision 18-27/442-212 of 8 August 2018.
Through these decisions, the Turkish Competition Board has referred to competitive provisions of the Second Payment Services Directive and implied that the enactment of equivalent legislation in Turkey may foster competition in Turkey's fintech markets.
In light of the above, although the Turkish Competition Board had granted certain exemptions for the development of financial technologies and the establishment of cooperation between banks and other players, it is also closely monitoring the competitive structure of relevant markets and taking necessary measures to preserve competition and prevent the emergence of dominant undertakings in the fintech sector.
8.1 How is innovation in the fintech space protected in your jurisdiction?
There is no specific legislation on the protection of fintech innovations.
Software is considered an artistic work under Law 5846 on Intellectual and Artistic Works. Software is therefore subject to copyright, but not to patents. Copyright in a work developed by a group of people is held by the legal entity which employs them or of which they are partners.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
As per the Eleventh Development Plan prepared by the President's Strategy and Budget Department, as published in the Official Gazette:
- an efficient competitive landscape among financial entities must be ensured;
- the transactional costs of financial entities will be reduced and access to verifiable information will be eased;
- the development of alternative money and payment systems will be promoted;
- a secure fintech ecosystem, which provides for equality of opportunity, will be supported by learning from good international examples;
- the Istanbul Finance and Technology Base will be established;
- relevant legislation will be aligned with the Second Payment Services Directive for the purposes of promoting open banking; and
- a number of other promotions, encouragements and investments regarding the development of fintech will be implemented.
Also, although it is not fintech specific, the following legal framework incentivises fintech innovation in Turkey:
- Law 4691 on Technology Development Zones: This allows fintech companies located in technology parks to benefit from tax and social security payment discounts or exemptions.
- The Regulation on Individual Participation Capital: This regulates the angel investment and entrepreneurship ecosystem. Accordingly, 75% of the value of participation shares in fintech companies established under Turkish law that are held by business angels or individual investors can be deducted from the individual investor or business angel's income tax base for the next tax year.
- The Decision on State Aid for Investments: This sets out three different investment incentivisation regimes: general, regional and strategic. In broad terms, these provide for certain exemptions and deductions of taxes (eg, value added tax, customs tax) and levies arising from labour and social security laws, and may provide for the allocation of property.
Turkey has no regulatory sandbox to test innovative fintech technologies.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
There is no specific legislation on employment in the fintech sector. Law 4857 on Labour applies to almost all employment relationships and regulates the rights and obligations of both parties.
Turkish labour law includes provisions on mandatory health insurance, workplace safety, maximum working hours, severance, notice, annual leave and minimum wage requirements, among other things.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
There is no specific legislation on recruiting talent from abroad in the fintech sector. The following legislation applies to the recruitment of overseas talent in Turkey:
- Law 6458 on Foreigners and International Protection;
- Law 6735 on the International Workforce;
- Law 4817 on Foreigners' Work Permits; and
- Law 5683 on Residence and Travel of Foreigners in Turkey.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Significant amendments were made on 11 November 2019 to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. The amendments are critical for the evolution of the Turkish fintech sector, as they further align the payment legislation with the Second Payment Services Directive (PSD2):
- The Central Bank of Turkey is now recognised as the sole supervisory body for payment and e-money services in Turkey.
- A licensing requirement has been introduced for two new financial services, which may be considered the equivalents of ‘payment initiation services' and ‘account information services' as defined under PSD2.
- The Central Bank of Turkey is now authorised to establish the principles and procedures for sharing data between payment service providers, thus laying the groundwork for open banking in Turkey.
More information on the proposal can be found here.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
- The fintech ecosystem is gaining traction fast and the regulations are also evolving swiftly. Players must watch out for developments on the market to ensure that they do not fall behind and can fully capitalise on the benefits of this newly emerging market.
- Maintaining a dialogue with stakeholders in the sector (eg, state agencies, existing players such as banks and industry associations) is crucial when establishing a business in Turkey. Players seeking to expand into Turkey should identify key stakeholders with whom they may establish beneficial business relations in the future.
- Compliance with the financial regulations is a must. Financial services are regarded as a matter of national security by government authorities and the legal rules are strictly enforced. It is critical to assess where a potential business model fits under the law and which rules therefore apply.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.