Liability schemes in outsourcing and tech contracts: A cross-border survey
A key question customers and suppliers want answered about their outsourcing and technology contracts is whether their liability position is market-standard.
Ekin İnal and Ecem Naz Boyacıoğlu
Reproduced from Practical Law with the permission of the publishers. For further information, visit www.practicallaw.com.
The Banking Law No. 5411, which entered into force on 1 November 2005 (Banking Law), provides the legal framework regarding banking activities to ensure the reliability and stability of financial markets and to promote the effective functioning of loan markets. The following entities can be established under the Banking Law:
These categories also include Turkish branches of foreign banking institutions conducting equivalent banking services in their home countries.
Financial holding companies (finansal holding şirketleri) are companies whose subsidiaries are banks and/or other financial institutions, and of which at least one is a deposit or participation bank.
The Law on Financial Leasing, Factoring, and Financing Companies No. 6361, which entered into force on 13 December 2012 (Financial Leasing Law), provides the legal framework regarding the establishment and activities of financial leasing, factoring, and financing companies. The following entities can be established under the Financial Leasing Law:
The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Companies No. 6493, which entered into force on 27 June 2013 (Law on Payment Systems), provides the legal framework regarding payment and securities settlement systems, payment services and relevant entities, and electronic money companies. The following entities can be established under the Law on Payment Systems:
The Insurance Law No. 5684 (Insurance Law), which entered into force on 14 June 2007, provides the legal framework for the insurance sector, ensuring its reliability and stability. The following entities can be established under the Insurance Law:
The Insurance Law also regulates insurance agencies and brokers. Insurance agencies (sigorta acenteleri) execute insurance policies for and on behalf of insurance companies, assist with the preparatory works and implementation of insurance contracts and claims payments in a defined geographical area. Insurance brokers (sigorta brokerleri) assist the insured in the selection of the appropriate insurance and reinsurance company and preparatory works of the contract, and if required, in the implementation of contract and claims payments.
The Capital Markets Law No. 6362 (Capital Markets Law), which entered into force on 30 December 2012, provides the principles regarding capital market activities and instruments, public companies, listed companies, investment companies and other capital markets entities, stock exchanges and other organised markets. The following entities can be established under the Capital Markets Law:
Other types of entities provided by the Capital Markets Law include authorised audit companies, appraisal firms, credit rating agencies, portfolio management companies, mortgage finance companies, housing and asset financing funds, asset lease companies (established for issuance of lease certificates/sukuk bonds), central clearing institutions, central depository institutions, crowdfunding platforms and trade repositories.
The Banking Regulation and Supervision Agency (Bankacılık Düzenleme ve Denetleme Kurumu) (BRSA) was established in 2000 as an independent and central supervisory authority to supervise the establishment, management and activities of banks and other financial institutions, including:
BRSA is vested with the authority and responsibility to protect the rights of depositors and ensures reliability and stability in financial markets and promotes the effective functioning of the loan markets. The main responsibilities and powers of the BRSA include:
The Capital Markets Board of Turkey (Sermaye Piyasası Kurulu) (CMB) is the regulatory authority responsible for ensuring reliability and stability in Turkey's securities market. Established in 1981, and currently operating under the Capital Markets Law, its objectives are to provide for fair and orderly functioning of the capital markets and the protection of rights of the investors.
The main strategic objectives of the CMB are to:
The Central Bank of the Republic of Turkey (Türkiye Cumhuriyeti Merkez Bankası) (Central Bank) is an independent entity, primarily responsible for the administration of the monetary and exchange rate policies of the Turkish economy. Established in 1931, the Central Bank also regulates banks in relation to their foreign currency operations, reserve requirements and capital adequacy rules.
The main strategic objectives of the Central Bank are to:
As of 1 January 2020, the Central Bank has been authorised to oversee payment companies and electronic money companies, instead of the BRSA. An amendment dated 22 November 2019 (Amendment Law) introduced important changes to the Law on Payment Systems, making the Central Bank the primary regulator of the payment systems sector, increasing the scope of the Central Bank's existing supervisory powers under the applicable legislation and paving the way for open banking (see Question 6).
The main strategic objectives of the Ministry of Treasury and Finance are to:
The Ministry of Treasury and Finance's duties in respect of the insurance sector have been recently transferred to the Insurance and Private Pension Regulation and Supervision Agency (Sigortacılık ve Özel Emeklilik Düzenleme ve Denetleme Kurumu) (Agency) under Presidential Decree No. 48, which entered into force on 18 October 2019. The Agency will be officially established once it convenes its first board meeting following the appointment of the chairman and members of the board, and its main strategic objectives are:
BIST, the sole stock exchange in Turkey, combines in a single institution the Istanbul Stock Exchange, Istanbul Gold Exchange and the Turkish Derivatives Exchange (all of which existed previously). There are currently four main markets on BIST:
The main markets consist of several sub-markets, for example, the BIST Star and BIST Main sub-markets under the Equity Market. Companies deemed eligible to form the Borsa Istanbul National 100 index and companies that have quoted shares with a market value of TRY150 million or more constitute the BIST Star sub-market with the rest of the listed companies forming the BIST Main sub-market.
Financial instruments currently traded on BIST markets include equities, exchange traded funds, government bonds and bills, corporate bonds and bills, covered bonds, money market instruments (repo/reverse repo), asset backed securities, futures and options, real estate certificates and lease certificates. Lease certificates modelled on sukuk bonds may be issued based on revenues to be generated from an ownership, management, sale and purchase, partnership or service contract.
For each segment of the financial industry, there are also self-regulating organisations, including:
The promulgation of the Law on Payment Systems in 2013 is an important step in the development of the FinTech sector in Turkey (see Question 6). As a result, FinTech has been a key innovator for payment systems and money collection and transfer (including pre-paid cards, digital wallets, invoice and accounting, budget management, offline payments, money transfers, loyalty cards, bill collection, cash collection, cash registers and point-of-sale devices and credit scoring).
The traditional financial services sector in Turkey is led by banks, which have rapidly responded and adapted to FinTech due to:
Turkish banks offer advanced retail banking products, ahead of many of their international competitors, including loan applications submitted through text messages, cash withdrawals using a QR code, mobile contactless payments, artificial intelligence-based financial assistants, and opening bank accounts through video conference. Certain products offered by Turkish banks also involve co-operation with FinTech entities, such as mobile internet banking applications, and even with public authorities, such as the General Directorate of Land Registry and Cadastre for electronically establishing a mortgage.
Securities and insurance sectors have also been influenced by FinTech to a lesser extent (see Question 7 and Question 8).
There is no specific legislation regarding the use and application of FinTech on marketplace lending activities (including B2B, B2C, C2C, peer-to-peer lending and so on). Lending activities are highly regulated in Turkey on a national level by the BRSA.
Only BRSA-authorised entities can legally conduct lending activities under the Banking Law or the Financial Leasing Law. Unauthorised money lending and earning interest from such funds is a crime, defined as usury (tefecilik), which is punishable by two to five years imprisonment and punitive fines of up to TRY500,000 (Criminal Code No. 5237).
Accordingly, no B2B, B2C, C2C, or peer-to-peer lending platforms are currently active in Turkey and no such activity may be conducted under the current legislation.
However, crowdfunding activities and platforms are permitted and regulated on a national level by the CMB. Under a set of amendments to the Capital Markets Law made on 5 December 2017, crowdfunded project entities are defined, and carved out of the legal definition of "public entity" (i.e. joint stock companies with more than 500 shareholders, which are deemed to be public even if their shares are not traded on Borsa Istanbul). As public companies have a number of disclosure and corporate governance requirements that may be burdensome on a crowdfunded project entity, such carve out provides for a regulatory environment that supports the establishment and development of crowdfunded entities.
Additionally, crowdfunded project entities are carved out of the definition of "issuer" and are not required to issue a prospectus or offering circular to launch crowdfunding campaigns. They are also exempt from extensive book keeping and disclosure requirements that are applicable to public entities and issuers, which also helps develop and support the crowdfunding industry.
Under secondary legislation on equity-based crowdfunding adopted on 3 October 2019, technology or production start-up companies can apply to crowdfunding platforms to raise capital in return for equity. Such platforms are regulated on a national level by the CMB (for example, crowdfunding platforms require the approval and whitelisting of the CMB to commence operations, and their corporate structure, corporate governance and activities are supervised by the CMB).
FinTech is widely used in payment-related activities in Turkey; for example, internet and mobile banking systems are well-established with a high market penetration rate. These services allow customers to conduct banking transactions, including national and international money transfers (subject to certain limitations regarding processing orders outside of usual banking hours). General regulations applicable to financial services infrastructure are also applicable for money transfer transactions. For further information on other regulations applicable to the use of FinTech, see Question 10.
Payment systems are regulated on a national level under the Law on Payment Systems.
Under the Law on Payment Systems, the following payment services can be conducted by payment entities (ödeme kuruluşları):
Under an amendment dated 22 November 2019 to the Law on Payment Systems, the scope of payment services was expanded to include, as of 1 January 2020, open banking solutions as follows:
Although some banks have already started offering open banking products to its customers, it is important that open banking is now explicitly provided for in the legislation. We expect that this regulatory framework will help expand and develop open banking solutions. With the use of open banking, customers will be able to better manage their financial information and multiple bank accounts, and negotiate tailormade financial products and solutions using this data. Open banking will help more FinTech entities, which usually have limited resources compared to banks, to develop innovative products using banks' application programming interfaces (APIs).
In addition, the Central Bank may decide that other payment services and transactions reaching a certain threshold with regard to their overall size and impact area will qualify as payment services.
Payment entities can commence operations upon obtaining a licence granted by the Central Bank (which was previously granted by the BRSA).
The following entities can conduct payment service activities:
Under the Law on Payment Systems, the following payment services can be conducted by e-money entities (elektronik para kuruluşları) once they have obtained an operation licence from the BRSA (or the Central Bank, as of 1 January 2020):
The prerequisites for obtaining an operation licence for conducting payment service activities and/or e-money entities include:
Persons who hold more than 10% of the total share capital (or controlling interest) must have the qualifications set out under the Banking Law for founders of banks. For example, they must not have been declared bankrupt, been found guilty of certain criminal acts or held qualified shares in, or exercised control over, a financial institution whose activity permit has been cancelled.
According to the Central Bank's official website, there are currently 34 payment entities and 18 e-money entities. Note that payment or electronic money entities to be established after 1 January 2020 will be licensed by the Central Bank under the Law on Payment Systems as amended on 22 November 2019.
In addition to the payment methods set out above, conventional point-of-sale (POS) devices are also widely used and regulated on a national level in Turkey. According to a series of communiqués issued by the Revenue Administration of Turkey (Gelir İdaresi Başkanlığı), including Communiqué No. 426 on Tax Procedure Law, use of "new generation cash registers" are mandatory for all vendors. These devices serve as both POS devices and cash registers for the purposes of tax-related record keeping and can support contactless payments.
Under Communiqué No. 509 on Tax Procedure Law dated 19 October 2019, the Revenue Administration of Turkey (Gelir İdaresi Başkanlığı) has obliged certain taxpayers to electronically issue documents required under the Tax Procedure Law No. 213. Such documents include invoices (fatura), self-employment invoices (serbest meslek makbuzu) and delivery notes (sevk irsaliyesi). This transformation aims to improve sustainability by decreasing the use of paper in tax matters and preventing the black economy.
The Turkish Government has also announced a common payment platform (Türkiye Ortak Ödeme Platformu), composed of six Turkish companies operating in the banking, payments/e-money, telecommunication and transportation sectors. The platform aims to ease daily money payment transactions, including shopping and transportation and will also allow unbanked users to effect money transfers.
The CMB's Communiqué No. III-37.1 on Investment Services and Activities and Ancillary Services permits investment companies to accept orders electronically in trading transactions. Investment companies must still sign framework agreements with their customers, open accounts in their name and acquire registration numbers from the Central Securities Depository. Leveraged transactions (sale and purchase through leverage of foreign exchange, precious metals and other assets designated by the CMB) are conducted on electronic platforms.
Another noteworthy development is the Istanbul Stock Exchange's (BIST) execution of a strategic partnership agreement with NASDAQ OMX Group on 20 January 2014, which introduced a substantial renovation on BIST's market applications and technological infrastructure.
For information on crowdfunding and blockchain, see Question 5 and Question 9.
Currently, the insurance and reinsurance industry has not engaged with FinTech companies as much as other financial institutions in Turkey.
Insurance activities are regulated on a national level by the Ministry of Treasury and Finance. All insurance and reinsurance companies must obtain an operating licence from the Ministry of Treasury and Finance to operate in Turkey. Additionally, certain transactions of insurance companies are subject to the Ministry of Treasury and Finance's approval, such as share transfers. Once established, the Insurance and Private Pension Regulation and Supervision Agency (Sigortacılık ve Özel Emeklilik Düzenleme ve Denetleme Kurumu (see Question 2)) will assume responsibility for the insurance industry.
The Insurance Association of Turkey (Türkiye Sigorta, Reasürans ve Emeklilik Şirketleri Birliği) is a non-governmental institution established by law. All local and foreign insurance, reinsurance and pension companies operating in Turkey must be a member of this association. The main objectives of the Insurance Association of Turkey are to:
The insurance sector has engaged to some extent with FinTech, for example, adopting mobile applications helping customers compare insurance products, manage policies and providing certain data. Noteworthy FinTech solutions in the insurance sector have been introduced by the Insurance Information and Monitoring Center (Sigorta Bilgi ve Gözetim Merkezi) established within the Insurance Association of Turkey. This centre has introduced some innovative products, including:
Sector representatives expect that blockchain based solutions in the insurance sector will boost Insurtech in Turkey.
Blockchain-related activities and cryptocurrency-related transactions are currently not regulated under Turkish law. Consequently, blockchain-related activities and cryptocurrency-related activities are not defined under any primary or secondary legislation (including, initial coin offerings (ICOs) and cryptocurrency payment processing services).
The first official statement by a Turkish authority on cryptocurrencies was a statement published by the BRSA on 25 November 2013. In its statement, BRSA clarified that "Bitcoin" and other cryptocurrencies were not e-money as defined under the Law on Payment Systems and therefore, were not regulated and audited by BRSA. In this statement, the BRSA "reminded the public of the possible risks inherent to the virtual currencies" as "the pricing of such virtual currencies may be highly volatile, digital wallets may be stolen or lost; and as a result of the irrevocable nature of transactions, exposed to risks from operational errors and fraudulent sellers".
In recent years, statements from ministers and representatives of regulatory authorities emphasised the potential of blockchain technology and cryptocurrencies in relation to financial infrastructure, while at the same time cautioning investors regarding the volatile nature of pricing of cryptocurrencies.
On 11 January 2018, the Financial Stability Committee (Finansal İstikrar Komitesi), comprised of the Deputy Prime Minister in charge of the Undersecretariat of Treasury and heads of the Central Bank, BRSA, CMB and Saving Deposits Insurance Fund, issued a press statement reiterating the concerns regarding cryptocurrencies as stated by the BRSA on 25 November 2013. The press release of the Financial Stability Committee further emphasised that ICO related activities are not regulated or audited and therefore at risk for fraud. In an announcement dated 27 September 2018, the CMB stated that ICOs are high-risk and speculative investments and warned investors of their risks, including the unregulated nature of such activities, high volatility and possibility of misleading or inaccurate information in the issuance documents.
That said, there has recently been a more positive approach to the use of blockchain in the financial sector:
Other than the legislation providing for the payment entities and e-money entities, no specific regulation has been issued addressing FinTech in Turkey. However, the regulators have issued rules on the use of technology and measures to be taken by the institutions to ensure the security and efficiency of the financial services infrastructure.
BRSA requires banks to take all necessary measures to calculate, monitor, check and report risks that might arise from the banks' use of information technologies (IT). Within this general framework, the BRSA provides for additional obligations for internet banking and ATM machines due to specific risks they pose to the banks and customers (such as cybersecurity issues, risk of theft, attack, identity authentication issues and so on). Accordingly, for financial services provided through internet banking, banks must:
For banking services provided through ATM machines, banks must take all measures against theft, fraud, physical attacks that may target ATM customers and raise awareness for the secure use of ATMs.
As a general obligation, banks must take necessary measures to maintain the confidentiality of transactions (and the data stored, processed, transferred thereby) effected through IT systems. Banks regularly inform their customers of the general use and risks of digital banking, as well as security measures taken by the bank. Banks must also implement mechanism to monitor customer complaints.
Central Bank also imposes similar obligations on payment entities and e-money entities. These entities must prepare a risk management policy and detect, analyse, monitor, control and report all risks arising from the use of information technologies. They must take all necessary measures to ensure data confidentiality and security and implement mechanisms for identity authentication.
In its Communiqué numbered VII-128.9 on Management of Information Systems which entered into force on 5 January 2018, the CMB provided for rules governing management, security, sustainability and efficient operation of information systems of various capital markets institutions, including:
Management of information systems is deemed to be a part of corporate governance practices.
Similar to the Central Bank regulations with regard to payment and e-money entities, the CMB requires the obligated entities to:
The CMB provides for a two-tier information system, consisting of primary systems and secondary systems. Primary systems include all infrastructure, hardware, software and data allowing a safe and immediate access to all information required for the obligated entities' activities. Secondary systems include primary system back-ups in case of disruption of services. Entities must maintain both systems in Turkey.
The entities must also inform their customers of the risks of services offered through electronic means and security measures taken by them.
In addition to the banking and securities laws applicable to FinTech sector players, there are other regulatory compliance issues that must be considered by FinTech entities.
For the regulatory compliance issues faced by FinTech in relation to consumer protection laws, the Law No. 6502 on Protection of the Consumer, which entered into force on 28 May 2014 (Law on Consumer Protection) provides the general framework for protecting the economic benefits of consumers and aims to raise awareness on the consumer side. Banks and other financial institutions that extend loans or issue credit/debit cards must inform the consumer relating to any fees and expenses payable (other than the relevant interest payments) regarding such loans in accordance with the secondary legislation issued by the BRSA.
Furthermore, principles and provisions applicable to the execution of contracts relating to financial services (including banking services, extension of loans, insurance, private pension system (bireysel emeklilik sistemi), investments and payments) using a communication device (for example, phone, internet, mobile applications) are provided under the Law on Consumer Protection. The consumer must be fully informed of the consumer's obligations under the contract and the consumer's rights of termination. This information must be presented in a manner that is:
The relevant entity providing the financial services must ensure that all necessary records are kept relating to the referred communications.
In addition to the general provisions, payment entities and e-money entities are subject to further regulations with regard to relations with their customers, record keeping, and information security. Such entities are required to execute a framework agreement with their customers containing, among other information:
Moreover, these entities must store all relevant documents and records domestically in Turkey, in a safe and accessible manner and take necessary precautions to prevent unauthorised access to such documents and records (Law on Payment Systems). Failure to comply with these requirements can result in criminal liability, and may be subject to payment of punitive fines and/or imprisonment.
Turkey enacted Law No. 6698 on Protection of Personal Data (Data Protection Law) on 7 April 2016. This long-awaited law, largely based on Directive 95/46/EC on data protection (Data Protection Directive), was enacted following the ratification of the European Council's Convention for the protection of individuals when processing personal data and on the free movement of such data and its related protocol.
Turkish companies must also comply with the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (GDPR)) if they:
In addition to the obligations imposed by the regulators (see Question 10), FinTech entities must comply with the Data Protection Law, its secondary legislation and to the extent applicable, with GDPR.
"Personal data" is defined as any information relating to an identified or identifiable person. The Data Protection Law does not provide specific examples of personal data. However, examples of personal data may include name, address, date of birth, e-mail address and employment-related information. The Data Protection Law also provides for a separate list of "special personal data", including information on:
This is especially important for today's banking practices where banks use biometrics (face recognition, retina scan, palm scan, among others) to verify the identity of their customers.
The Data Protection Law distinguishes between "data controllers" and "data processors" and sets out their respective responsibilities. A data controller (veri sorumlusu) determines the objectives of, and means for, processing data. A data controller is responsible for the establishment and management of the data recording system. A data processor (veri işleyen) processes personal data based on authority given by the data controller. Data controllers and data processors may be individuals or legal entities.
The Turkish Data Protection Authority (Turkish DPA) keeps a publicly available database (VERBİS) and requires all data controllers who process personal data in Turkey to be registered with VERBİS. With its decision dated December 2019, the Turkish DPA set the following deadlines for certain data controllers to complete their registration with VERBİS:
Data controllers who become subject to the registration requirement after the deadlines listed above (as they fulfil the registration criteria) must register with VERBİS within 30 days upon fulfilment of the registration criteria.
There may be a variety of reasons to process personal data. However, processing must comply with the general principles set forth by the Data Protection Law, regardless of the purpose for processing. Accordingly, personal data must be processed lawfully, fairly and accurately and, where necessary, kept up-to-date. Data collected must:
Processing may only be made with the express consent of the data subject. The Data Protection Law provides for certain exceptions to the consent requirement, for example, if the processing is required explicitly by law or directly related to the execution or performance of a contract (in this case only the personal data of the contracting parties may be processed). Processing of special personal data also requires the data subject's express consent or the existence of an explicit statutory exemption. Additionally, data controllers must take sufficient measures to protect special personal data. The Turkish DPA recently published a list of measures, which include the adoption of a separate policy for such data, regular training for employees and execution of confidentiality agreements with these employees, ensuring the security of the electronic platform or physical media where such data is kept and taking additional security measures when transferring such data.
Transfer of data is subject to the same rules and exceptions as the processing: In general, no transfer may be made without the express consent of the subject but under certain circumstances data may be transferred without consent. The same set of exceptions to the consent requirement applies to transfer of data. Transfer of personal data without consent is subject to further restrictions if the data is transferred outside of Turkey. Data controllers can transfer personal data to a recipient country with an adequate level of data protection, or where there is a written agreement with the data controller or processor in the recipient country if that recipient country does not have an adequate level of data protection. This agreement must be submitted to and approved by the Turkish DPA. While the Turkish DPA is still to announce the "white list" countries that will be deemed to have an adequate data protection level, it has announced the minimum required content of the above-mentioned agreement.
A data controller or its representative has disclosure obligations against the data subjects, which include the identity of the data controller or its representative, reasons for processing, to whom the data may be disclosed (recipient) and for what purpose. Data controllers must take any required administrative and technical precaution to maintain the necessary level of data security. If data is processed by another individual or legal entity on behalf of the data controller, the data controller is jointly responsible with the processor individual or legal entity for taking such precautions. Data controllers and processors may neither disclose personal data if not required by law nor use such data for a purpose other than the defined collection purpose. Data controllers must carry out necessary monitoring and audits to ensure compliance.
For know-your-client, anti-money laundering, and counter-terrorist financing regulations, the main regulatory institution in Turkey is the Financial Crimes Investigation Board (Mali Suçları Araştırma Kurulu) (MASAK) of the Ministry of Treasury and Finance.
Within this framework, MASAK imposes certain obligations on financial institutions and some professional organisations, including banks, capital market institutions, insurance companies, payment companies and e-money companies. These obligated institutions must, amongst other things:
MASAK and the information/technology systems regulations impose on financial entities know-your-client/know-your-customer requirements (see Question 10).
There are no regulatory barriers for FinTech entities to enter into partnerships or other similar arrangements with traditional financial services providers. Recently established FinTech entities, such as start-ups and crowdfunded project entities may cooperate with traditional service providers, such as banks and other financial institutions.
In fact, many established banks in Turkey have institutionalised their efforts to promote and finance FinTech start-ups under angel-investment and incubation centre programmes.
Moreover, several local banks that have been providing internet banking services for over a decade, have established websites that enable entrepreneurs and software developers to produce FinTech applications using that bank's API. This provides start-ups with the opportunity to build FinTech tools using the bank's existing technological infrastructure, providing higher integration of start-ups to the existing ecosystem; while promoting bank's financial infrastructure as a platform that is open to growth and collaboration. Recently, certain FinTech companies have followed suit and allowed third-party developers and other users to use their APIs.
Under Law No. 4875 on Foreign Direct Investment, which entered into force on 17 June 2003, it is a statutory requirement under Turkish law that foreign investments are treated on equal terms with domestic investors. Accordingly, FinTech entities intending to provide services within the Turkish jurisdiction should not, by operation of law, encounter regulatory barriers that are different from domestic FinTech entities.
Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to foreign FinTech entities as they apply to domestic FinTech entities. These include, when applicable, obtaining an establishment and operating permit; and storing relevant documents and data domestically (that is, in Turkey).
Among other categories of intellectual property, the Law on Industrial Property No. 6769 provides for the following categories of intellectual property to be registered and protected, which could be used for FinTech innovations in Turkey:
Although not specifically targeting FinTech entities and investments, the following create a more favourable environment for the FinTech ecosystem in Turkey:
On several occasions, representatives of the relevant ministries and regulatory authorities, including the BRSA, have stated that governmental authorities are working in coordination to provide for an ideal regulatory environment to foster the growth of the FinTech sector, while protecting the members of the FinTech eco-system (including the service providers and the customers).
Under the 2019-2023 Development Plan announced by the Presidency in July 2019, action will be taken to further develop the FinTech sector in Turkey (some action has already been taken with the recent amendment to the Law on Payment Systems). Such action includes:
Although traditionally the regulatory authorities have abstained from issuing or enforcing any regulation on cryptocurrencies, recently we have seen a more welcoming approach (see Question 9).
There are funds made available by Scientific and Technological Research Council of Turkey (TÜBİTAK) and European Union supported programmes, such as Horizon 2020, the EU's programme for research and development. However, FinTech entities have mostly relied on investment from angel investors, venture capital firms and banks.
The Council of Ministers Decree No. 2018/11662 dated 5 June 2018 (Decree No. 2018/11662) sets out the procedure for transferring funds from the Treasury budget to venture capital funds that provide financing to companies and/or projects. FinTech sector representatives expect to receive a sizable portion of these funds. In January 2019, the Ministry of Treasury and Finance announced its plan to allocate funds of up to TRY400 million in the next five years and invited venture capital funds to apply for evaluation.
The objective of the Turkish Government is to facilitate growth in Turkish financial markets, including FinTech, to position Turkey (and especially Istanbul) as a finance hub for the Europe Middle East Africa (EMEA) region.
The establishment of the Istanbul Finance Centre (Istanbul Finans Merkezi), a finance hub which will host regulatory authorities, conventional finance institutions, and FinTech start-ups, is currently in progress. The Turkish Government's intention is that, upon its expected completion in 2022, the Istanbul Finance Centre will be another incentive for foreign FinTech entities to establish a presence in Turkey.
Under the Banking Law, the establishment of a foreign branch, establishment of or participation in a foreign partnership by a bank primarily established in Turkey is subject to the approval of the BRSA. Accordingly, banks may be subject to the approval of the BRSA with regards to the cross-border provision of financial products or services, if such activity entails the establishment of a foreign branch, establishment of or participation in a foreign partnership.
There is no blanket provision covering all domestic FinTech entities with regards to their cross-border activities. Accordingly, there are no special rules that affect the cross-border provision of financial products or services by domestic FinTech entities. In fact, several payment entities, and a payment platform established in Turkey, are already providing cross-border services.
Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to all FinTech entities that are operating in Turkey. Accordingly, among other requirements, such entities may be required to obtain permits from relevant regulatory authorities and store relevant documents and data domestically (that is, in Turkey).
In light of the official statements, the Financial Stability Committee stated in its statement dated 11 January 2018 that a working group comprised of all relevant ministries and regulatory authorities would be formed to draft the relevant legal framework for cryptocurrencies and blockchain-related activities (see Question 9). The Head of the Central Bank has stated that developments regarding digital currencies are followed closely by the Central Bank, and "if designed correctly, such digital currencies may contribute to financial stability". Turkey is also preparing to launch its blockchain-based digital central bank money (blokzincir tabanlı dijital merkez bankası parası) (see Question 9).
After entry into force of PSD2 (see Question 15) in Europe, Turkey has taken steps towards open banking and enabled the provision of payment initiation and account information services with a recent amendment which entered into force on 1 January 2020 (see Question 6). With the advancement of open banking, we also expect that further regulations will be introduced with respect to both data protection/privacy and combating financial fraud.
FinTech investments in Turkey have been channelled principally through the banking industry and payment systems. As new areas of interest emerge, such as blockchain, robo-advisors and alternative crowdfunding activities, new rules and regulations are expected to be introduced.
COP26, the 26th Conference of the Parties to the UNFCCC, will take place between 1 and 12 November 2021 in Glasgow.
© Norton Rose Fulbright LLP 2021