FinTech in Turkey: Overview

by Ekin İnal and H. Alper Tüzün, İnal Ünver Attorney Partnership (in association with Norton Rose Fulbright in Turkey)

Reproduced from Practical Law with the permission of the publishers. For further information, visit www.practicallaw.com.

---

The Q&A provides a high-level overview of the financial services sector; the FinTech sector; regulatory environment for alternative finance activities, payment platforms, investment/asset management and InsurTech; regulatory compliance; government initiatives; cross-border provision of services and the future of FinTech.

Overview of financial services sector

1. What are the types of entities that form the financial services sector in your jurisdiction?

The Banking Law No. 5411, which entered into force on 1 November 2005 (Banking Law), provides the legal framework for banking activities to ensure the reliability and stability of financial markets and to promote the effective functioning of loan markets. The following entities can be established under the Banking Law:

• Deposit banks (mevduat bankaları). These banks can accept deposits, advance loans and conduct other banking activities as permitted under the Banking Law.

• Participation banks (katılım bankaları). These banks can accept funds by using special current accounts or participation accounts, advance loans and conduct other banking activities as permitted under the Banking Law. Activities of these banks are based on interest-free banking principles in line with globally accepted Islamic finance principles.

• Development and investment banks (kalkınma ve yatırım bankaları). These banks can advance loans and perform the objectives provided by special relevant laws, but cannot accept deposits or funds.

These categories also include Turkish branches of foreign banking institutions conducting equivalent banking services in their home countries.

Financial holding companies (finansal holding şirketleri) are companies whose subsidiaries are banks and/or other financial institutions, and of which at least one is a deposit or participation bank.

The Law on Financial Leasing, Factoring, Financing, and Savings Finance Companies No. 6361, which entered into force on 13 December 2012 (Financial Leasing Law), provides the legal framework for the establishment and activities of financial leasing, factoring, and financing companies. The following entities can be established under the Financial Leasing Law:

• Financial leasing companies (finansal kiralama şirketleri). These provide financing by leasing certain assets based on a financial leasing agreement, subject to certain statutory requirements.

• Factoring companies (faktoring şirketleri). These purchase accounts receivable that arise from the sale of goods or services and documented through invoices, and provide debt collection, book-keeping, financing and/or guarantee services.

• Financing companies (finansman şirketleri). These are entities that finance the purchase of goods and services by purchasing such goods and services in the name of, and on behalf of, the buyer and by making the payment directly to the seller.

• Savings finance companies (tasarruf finansmanı şirketleri). These are entities that finance the purchase of residential immovable properties and personal vehicles based on interest-free financing principles.

The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Companies No. 6493, which entered into force on 27 June 2013 (Law on Payment Systems), provides the legal framework for payment and securities settlement systems, payment services and relevant entities, and electronic money companies. The following entities can be established under the Law on Payment Systems:

• Payment companies (ödeme kuruluşları). These are entities that are authorised to provide payment services.

• Electronic money companies (elektronik para kuruluşları). These are entities that are authorised to issue electronic money (or e-money). E-money is defined as a monetary value issued in exchange for funds by an e-money company, stored electronically and accepted as a payment tool by persons other than the issuer.

The Insurance Law No. 5684 (Insurance Law), which entered into force on 14 June 2007, provides the legal framework for the insurance sector, ensuring its reliability and stability. The following entities can be established under the Insurance Law:

• Insurance companies (sigorta şirketleri). These are entities that are established to issue insurance policies and provide related services.

• Reinsurance companies (reasürans şirketleri). These are entities that are established to provide reinsurance services.

The Insurance Law also regulates insurance agencies and brokers. Insurance agencies (sigorta acenteleri) execute insurance policies for and on behalf of insurance companies, assist with the preparatory works and implementation of insurance contracts and claims payments in a defined geographical area. Insurance brokers (sigorta brokerleri) assist the insured in the selection of the appropriate insurance and reinsurance company and in preparatory works relating to the contract, and if required, in the implementation of contract and claims payments.

The Capital Markets Law No. 6362 (Capital Markets Law), which entered into force on 30 December 2012, regulates capital market activities and instruments, public companies, listed companies, investment companies and other capital markets entities, stock exchanges and other organised markets. The following entities can be established under the Capital Markets Law:

• Intermediary entities (aracı kurumlar). These are entities that are authorised by the Capital Markets Board of Turkey (CMB) to provide exclusively investment services and activities as set out under the Capital Markets Law.

• Collective investment entities (kolektif yatırım kuruluşları). These consist of investment partnerships (yatırım ortaklıkları) and investment funds (yatırım fonları):

• investment partnerships are established to manage portfolios consisting of capital market instruments, real estate, venture capital investments, and other assets as determined by the CMB; investment partnerships are organised as joint stock companies with fixed or floating capital and offer shares to the public; and

• investment funds are portfolios of assets, consisting of cash and other forms of assets, collected from persons in return of fund participation units, and managed by a portfolio management company; investment funds are based on the principles of fiduciary ownership, and a contractual relationship between the holder of participation units and the portfolio management company. Investment funds do not have legal personality under Turkish law, except in respect of real estate transactions that require registration of the fund with title deed registries.

• Investment entities (yatırım kuruluşları). These consist of intermediary entities, capital markets entities and banks that are authorised to provide investment services and activities.

• Crowdfunding platforms (kitle fonlama platformları). These are entities that act as intermediaries for crowdfunding activities conducted on electronic communication platforms.

Other types of entities regulated by the Capital Markets Law include authorised audit companies, appraisal firms, credit rating agencies, portfolio management companies, mortgage finance companies, housing and asset financing funds, asset lease companies (established for issuance of lease certificates/sukuk bonds), central clearing institutions, central depository institutions, and trade repositories.

2. What are the key regulatory authorities that are responsible for the financial services sector?

Banking Regulation and Supervision Agency

 

The Banking Regulation and Supervision Agency (Bankacılık Düzenleme ve Denetleme Kurumu) (BRSA) was established in 2000 as an independent and central supervisory authority to supervise the establishment, management and activities of banks and other financial institutions, including:

• Branches of foreign banks in Turkey.

• Financial holding companies.

• Financial leasing, factoring and consumer finance companies.

The BRSA has the authority and responsibility to protect the rights of depositors, ensure reliability and stability in financial markets, and promote the effective functioning of the loan markets. The main responsibilities and powers of the BRSA include:

• Regulating the incorporation, management, organisation, share transfer and other transactions of banks, financial holding companies, financial leasing and factoring companies, ensuring compliance with banking legislation, and issuing resolutions relating to banking and financial services activities.

• Reducing transaction and intermediation costs for more competitive banking operations, maximising market integration, and increasing transparency in financial markets.

• Inspecting the risk structures, internal controls, risk management, internal audit systems, receivables, shareholder equities, payables, profit and loss accounts, and liability balances of relevant financial institutions, and ensuring compliance with the principles of corporate governance in banks and other financial sector participants.

• Evaluating the annual financial reports of banks and other financial sector participants that are issued by independent audit institutions.

Capital Markets Board of Turkey

 

The CMB is the regulatory authority responsible for ensuring reliability and stability in Turkey’s securities market. Established in 1981, and currently operating under the Capital Markets Law, its objectives are to provide for fair and orderly functioning of the capital markets and the protection of investors’ rights.

The main strategic objectives of the CMB are to:

• Enhance investor protection.

• Fully integrate the norms of international capital markets into Turkish capital markets legislation.

• Promote and enhance the effectiveness of both the supply and demand side of the capital markets.

• Promote transparency and fairness in the capital markets.

• Facilitate the modernisation of the capital markets infrastructure.

Central Bank of the Republic of Turkey

 

The Central Bank of the Republic of Turkey (Türkiye Cumhuriyet Merkez Bankası) (Central Bank) is an independent entity primarily responsible for the administration of the monetary and exchange rate policies of the Turkish economy. Established in 1931, the Central Bank also regulates banks in relation to their foreign currency operations, reserve requirements and capital adequacy rules.

The main strategic objectives of the Central Bank are to:

• Achieve and maintain price stability and financial stability.

• Determine and provide stability to the exchange rate regime with the government.

• Print and issue banknotes.

• Establish fast and secure transfer and settlement systems. The Central Bank operates electronic funds transfer (eft) and electronic securities transfer systems.

Since 1 January 2020, the Central Bank has been authorised to oversee payment companies and electronic money companies, instead of the BRSA. An amendment dated 22 November 2019 (Amendment Law) introduced important changes to the Law on Payment Systems, making the Central Bank the primary regulator of the payment systems sector, increasing the scope of the Central Bank’s existing supervisory powers under the applicable legislation and paving the way for open banking (see Question 7).

Ministry of Treasury and Finance of the Republic of Turkey

 

The main strategic objectives of the Ministry of Treasury and Finance are to:

• Manage public financial assets and liabilities.

• Regulate, implement and supervise economic, financial and sectoral policies, including the foreign exchange regime.

• Co-ordinate international economic relations in a transparent, accountable and efficient way.

• Set out principles and rules regarding money laundering.

The Ministry of Treasury and Finance’s duties in respect of the insurance sector have been recently transferred to the Insurance and Private Pension Regulation and Supervision Agency (Sigortacılık ve Özel Emeklilik Düzenleme ve Denetleme Kurumu) (Insurance Agency) by Presidential Decree No. 47, which entered into force on 18 October 2019. The Insurance Agency was officially established by convening its first board meeting on 5 June 2020, after the appointment of the chairman and members of the board. The main strategic objectives of the Insurance Agency are to:

• Regulate, implement and supervise insurance and private pension legislation.

• Take the necessary steps and precautions to improve Turkish insurance and private pension practice and to protect insureds and participants.

• License insurance and reinsurance companies and branches of foreign insurance or reinsurance companies, ensuring compliance with insurance and private pension legislation.

Istanbul Stock Exchange (Borsa Istanbul) (BIST)

 

BIST, the sole stock exchange in Turkey, combines in a single institution the Istanbul Stock Exchange, Istanbul Gold Exchange and the Turkish Derivatives Exchange (all of which existed as separate entities before 2013). There are currently four main markets on BIST:

• Equities market.

• Debt securities market.

• Derivatives market.

• Precious metals and diamonds market.

The main markets consist of several sub-markets. For example, the Equities Market consist of:

• BIST Star: companies with a minimum market capitalisation of TRY300 million can be quoted in BIST Star.

• BIST Main: companies with a minimum market capitalisation of TRY75 million can be quoted in BIST Main.

• BIST Sub-Market: companies with a minimum market capitalisation of TRY40 million can be quoted in the BIST Sub-Market.

After quotation, listed companies are evaluated at least bi-annually. If deemed necessary, they may need to leave one sub-market and move to another.

Financial instruments currently traded on BIST markets include equities, exchange-traded funds, government bonds and bills, corporate bonds and bills, covered bonds, money market instruments (repo/reverse repo), asset-backed securities, futures and options, real estate certificates and lease certificates. Lease certificates modelled on sukuk bonds can be issued based on revenues to be generated from ownership, management, sale and purchase, partnership or a service contract.

Self-regulating organisations

 

For each segment of the financial industry, there are also self-regulating organisations, including the:

• Banks Association of Turkey.

• Participation Banks Association of Turkey.

• Association of Financial Institutions.

• Turkish Capital Markets Association.

• Insurance Association of Turkey.

• Payment and Electronic Money Institutions Association of Turkey (introduced by the Amendment Law, the relevant provision of which entered into force on 22 May 2020).

Overview of FinTech sector

3. What areas of the financial services sector has FinTech significantly influenced so far?

The promulgation of the Law on Payment Systems in 2013 was an important step in the development of the FinTech sector in Turkey (see Question 7). As a result, FinTech has had a key influence on innovations relating to payment systems and money collection and transfer (including pre-paid cards, digital wallets, invoice and accounting, budget management, offline payments, money transfers, loyalty cards, bill collection, cash collection, cash registers and point-of-sale devices and credit scoring).

FinTech has also influenced the following sectors:

• Personal finance management.

• Insurance (agency and price comparison).

• Robo-advisory (almost exclusively for savings in private pension schemes).

• Crowdfunding activities.

However, developments in these sectors have been rather limited compared to those in the payments industry.

4. How do traditional financial services entities engage with FinTech?

The traditional financial services sector in Turkey is led by banks, which have rapidly responded to, and adapted to, FinTech due to:

• Their market size.

• Efficient use of technology.

• The large product range they offer to customers.

Turkish banks offer advanced retail banking products, ahead of many of their international competitors, including loan applications submitted through text messages, cash withdrawals using a QR code, mobile contactless payments, artificial intelligence-based financial assistants, and opening bank accounts through video call. Certain products offered by Turkish banks also involve co-operation with FinTech entities (such as mobile internet banking applications) and with public authorities (such as the General Directorate of Land Registry and Cadastre for electronically establishing a mortgage).

Regulatory environment

Alternative finance

5. How is the use of FinTech in alternative finance activities regulated?

There are currently no regulatory sandboxes available for FinTech companies or start-ups.

Law No. 4691 on Technology Development Zones regulates the establishment of technology development zones to support technology-intensive production and entrepreneurship. Located in different parts of the country, technology development zones aim to promote co-operation between universities, research institutions and small/middle size entrepreneurs. There are currently 72 fully operational zones and 15 under construction. About 6,300 companies (about 300 of which have foreign investors) benefit from incentives under this framework. These include:

• Tax deductions and exemptions (including from income tax and stamp tax).

• Social security premiums support.

• Grants.

Additionally, the Central Bank is currently operating the information hub “FinTech İstanbul” (www.fintechistanbul.org), which supports the FinTech ecosystem in Turkey. FinTech İstanbul was established by Interbank Card Center (Bankalararası Kart Merkezi) which was initially owned by a consortium of private banks but is now majority-owned by the Central Bank.

Alternative Finance

6. How is the use of FinTech in alternative finance activities regulated?

There is no specific legislation regarding the use and application of FinTech in marketplace lending activities (including B2B, B2C, C2C, peer-to-peer lending and so on). Lending activities are highly regulated in Turkey on a national level by the BRSA.

Only BRSA-authorised entities can legally conduct lending activities under the Banking Law or the Financial Leasing Law. Unauthorised money lending and earning interest from such funds is a crime, defined as usury (tefecilik), which is punishable by two to five years imprisonment and punitive fines of up to TRY500,000 (Criminal Code No. 5237).

Accordingly, no B2B, B2C, C2C, or peer-to-peer lending platforms are currently active in Turkey and no such activity can be conducted under the current legislation.

However, crowdfunding activities and platforms are permitted and regulated on a national level by the CMB. A set of amendments to the Capital Markets Law made on 5 December 2017 defines crowdfunded project entities and carves them out of the legal definition of “public entity” (that is, joint stock companies with more than 500 shareholders, which are deemed to be public, even if their shares are not traded on BIST). As public companies have a number of disclosure and corporate governance requirements that may be burdensome on a crowdfunded project entity, this carve-out provides for a regulatory environment that supports the establishment and development of crowdfunding.

Additionally, crowdfunded project entities are carved out of the definition of “issuer” and are not required to issue a prospectus or offering circular to launch crowdfunding campaigns. They are also exempt from extensive book-keeping and disclosure requirements that are applicable to public entities and issuers, which also helps develop and support the crowdfunding industry.

Under secondary legislation on equity-based crowdfunding adopted on 3 October 2019, technology or production start-up companies can apply to crowdfunding platforms to raise capital in return for equity. These platforms are regulated on a national level by the CMB (for example, crowdfunding platforms require the approval of the CMB to commence operations, and their corporate structure, corporate governance and activities are supervised by the CMB).

Under an amendment to the Capital Markets Law adopted on 20 February 2020, the CMB is also authorised to regulate lending-based crowdfunding activities, in addition to equity-based crowdfunding. The amendment provides that banking regulations (including the Banking Law) will not apply to lending-based crowdfunding activities. Accordingly, changes to the regulation of alternative finance activities may be expected in the future. To date, the CMB has not issued any secondary legislation regarding lending-based crowdfunding, and there are no lending-based crowdfunding platforms.

Payment platforms

7. How has FinTech resulted in innovations to payment services and how is it regulated?

FinTech is widely used in payment-related activities in Turkey. For example, internet and mobile banking systems are well established with a high market penetration rate. These services allow customers to conduct banking transactions, including national and international money transfers (subject to certain limitations regarding processing orders outside usual banking hours). The general regulations applicable to financial services infrastructure are also applicable to money transfer transactions. For further information on other regulations applicable to the use of FinTech, see Question 15.

Payment systems are regulated on a national level by the Law on Payment Systems, which provides that the following payment services can be conducted by payment entities:

• All transactions regarding management of a payment account, including crediting and debiting amounts to/from that account.

• Money transfers, including direct debiting from the account and regular payment made with a payment card.

• Issuance and acceptance of a payment instrument.

• Transfer of money.

• Making of payments via an electronic communication device.

• Intermediary services for payment of invoices.

An amendment dated 22 November 2019 to the Law on Payment Systems expanded the scope of payment services to open banking solutions from 1 January 2020, as follows:

• On request of the payment services user, the initiation of a payment order with regard to a payment account available at another payment service provider (payment initiation services).

• On permission of the payment services user, the provision of online platforms containing consolidated information regarding the user’s payment account(s) held at payment service providers (account information services).

Although some banks have already started offering open banking products to customers, it is important that open banking is now explicitly provided for in the legislation. The authors expect that this regulatory framework will help to expand and develop open banking solutions. With the use of open banking, customers will be able to better manage their financial information and multiple bank accounts, and negotiate tailor-made financial products and solutions using open banking data. Open banking will help more FinTech businesses, which usually have limited resources compared with banks, to develop innovative products using banks’ application programming interfaces (APIs).

In addition, the Central Bank can decide that other payment services and transactions reaching a certain threshold with regard to their overall size and impact area will qualify as payment services.

Payment entities can commence operations on obtaining a licence from the Central Bank (which was previously granted by the BRSA).

The following entities can conduct payment service activities:

• Banks operating under the Banking Law.

• E-money entities.

• Payment entities operating under the Law on Payment Systems.

• National postal service (Posta ve Telegraf Teşkilatı A.Ş.).

E-money entities can conduct the following payment services once they have obtained an operation licence from the BRSA (or the Central Bank, as of 1 January 2020):

• Issuance of e-money, in return of the funds collected. The funds must be kept in a deposit account of a bank established under the Banking Law and must not be connected with lending activities or pay interest.

• Facilitating payments with such electronic money issued.

(Law on Payment Systems.)

  

The conditions for obtaining an operation licence for conducting payment service activities and/or e-money entities include:

• Establishment of a joint stock company with a minimum paid-up capital (ranging from TRY1 million to TRY2 million for payment entities and TRY5 million for e-money entities).

• Employing a sufficient number of qualified persons.

• Having the required technical infrastructure.

• Ensuring adequate risk management.

• Ensuring information security and business continuity.

• Forming an open and transparent organisational structure.

Persons who hold more than 10% of the total share capital (or controlling interest) of payment or e-money entities must have the qualifications set out in the Banking Law for founders of banks. For example, they must not have been declared bankrupt, been found guilty of certain criminal acts or held qualified shares in, or exercised control over, a financial institution whose activity permit has been cancelled.

According to the Central Bank’s official website, there are currently 33 payment entities and 22 e-money entities. Payment and e-money entities established after 1 January 2020 are licensed by the Central Bank under the Law on Payment Systems (as amended on 22 November 2019).

In addition to the payment methods set out above, conventional point-of-sale (POS) devices are also widely used and regulated on a national level in Turkey. According to a series of communiqués issued by the Revenue Administration of Turkey (Gelir İdaresi Başkanlığı), including Communiqué No. 426 on Tax Procedure Law, the use of “new generation cash registers” is mandatory for all vendors. These devices serve as both POS devices and cash registers for the purposes of tax-related record-keeping and can support contactless payments.

Certain taxpayers must also electronically issue the documents required under the Tax Procedure Law No. 213, such as invoices (fatura), self-employment invoices (serbest meslek makbuzu) and delivery notes (sevk irsaliyesi) (Communiqué No. 509 on Tax Procedure Law dated 19 October 2019). This transformation aims to improve sustainability by decreasing the use of paper in tax matters and preventing activities of the black economy.

Investment / asset management

8. How is the use of FinTech in the retail investment market regulated?

The CMB’s Communiqué No. III-37.1 on Investment Services and Activities and Ancillary Services allows investment companies to accept orders electronically in trading transactions. Investment companies must still sign framework agreements with their customers, open accounts in their name and acquire registration numbers from the Central Securities Depository (Merkezi Kayıt Kuruluşu). Leveraged transactions (sale and purchase through leverage of foreign exchange, precious metals and other assets designated by the CMB) are conducted on electronic platforms.

Another noteworthy development is BIST’s execution of a strategic partnership agreement with NASDAQ OMX Group on 20 January 2014, which introduced a substantial renovation of BIST’s market applications and technological infrastructure.

For information on crowdfunding and blockchain, see Question 6 and Question 14.

 

9. How is the use of FinTech in wholesale securities markets regulated?

There is currently no separate regulation on the use of FinTech in wholesale securities markets. Wholesale securities markets are regulated by CMB communiqués, such as Communiqué No. VII-128.1 on Shares. BIST has also set up rules and procedures applicable to transactions in wholesale securities markets.

InsurTech

10. How is the use of FinTech in the insurance sector regulated?

The insurance and reinsurance industry has not engaged with FinTech companies as much as other financial institutions in Turkey.

Insurance activities are regulated on a national level by the Insurance Agency (see Question 2). All insurance and reinsurance companies must obtain an operating licence from the Agency to operate in Turkey. Additionally, certain transactions of insurance companies are subject to the Insurance Agency’s approval, such as share transfers.

The Insurance Association of Turkey (Türkiye Sigorta, Reasürans ve Emeklilik Şirketleri Birliği) is a non-governmental institution established by law. All local and foreign insurance, reinsurance and pension companies operating in Turkey must be a member of this association. The main objectives of the Insurance Association of Turkey are to:

• Promote the insurance and reinsurance and private pension sectors in general.

• Conduct research on insurance and private pensions in line with national and international developments.

• Provide recommendations to relevant public authorities.

• Take action against unfair competition practices among members.

• Provide training and other educational activities to promote the insurance sector.

The insurance sector has engaged to some extent with FinTech, for example, adopting mobile applications helping customers to compare insurance products, manage policies and in providing certain data. Noteworthy FinTech solutions in the insurance sector have been introduced by the Insurance Information and Monitoring Centre (Sigorta Bilgi ve Gözetim Merkezi) established within the Insurance Association of Turkey. This centre has introduced some innovative products, including:

• ”SBMobil” application. This allows users to access information related to their insurance policies by entering their profile and insurance information on their smart phones. App users can also receive and compare policy offers, search for and contact insurance agencies, and appoint experts easily and quickly if needed.

• ”Mobile Accident Report” application. This allows users to fill in obligatory accident reports after a traffic accident much faster and more conveniently than filling in the hardcopy accident report.

• ”MyInsurance360” application. This allows users to search for damage records of vehicles. The app provides access to dates and causes of accidents, damage information, and expert reports regarding vehicles (if any).

Sector representatives expect that blockchain-based solutions in the insurance sector will boost InsurTech in Turkey.

Cryptoassets

11. What is the legal status of cryptoassets?

Turkish law is silent on cryptoassets. Therefore, their legal status has not been clarified.

The first official statement by a Turkish authority on cryptocurrencies was a statement published by the BRSA on 25 November 2013. In its statement, the BRSA clarified that “Bitcoin” and other cryptocurrencies were not e-money as defined under the Law on Payment Systems, and therefore were not regulated and audited by the BRSA. In this statement, the BRSA “reminded the public of the possible risks inherent to the virtual currencies” as “the pricing of such virtual currencies may be highly volatile, digital wallets may be stolen or lost; and as a result of the irrevocable nature of transactions, exposed to risks from operational errors and fraudulent sellers”.

In recent years, statements from ministers and representatives of regulatory authorities have emphasised the potential of blockchain technology and cryptocurrencies in relation to financial infrastructure, while at the same time cautioning investors in relation to the volatile nature of pricing of cryptocurrencies.

On 11 January 2018, the Financial Stability Committee (Finansal İstikrar Komitesi), comprised of the Deputy Prime Minister in charge of the Undersecretariat of Treasury and heads of the Central Bank, the BRSA, Capital Markets Board and Saving Deposits Insurance Fund, issued a press statement reiterating the concerns regarding cryptocurrencies as stated by the BRSA on 25 November 2013. The press release of the Financial Stability Committee further emphasised that ICO-related activities are not regulated or audited and therefore are at risk of fraud. In an announcement dated 27 September 2018 the CMB stated that ICOs are high-risk and speculative investments and warned investors of their risks, including the unregulated nature of such activities, high volatility and possibility of misleading or inaccurate information in the issuance documents.

On 1 March 2021, the Ministry of Treasury and Finance issued a press statement on cryptocurrencies, declaring that:

• Developments in this area are being closely followed.

The Ministry of Treasury and Finance, the Central Bank, the BRSA, the CMB and other relevant institutions are working in co-operation on this issue.

12. How are cryptoassets regulated?

Turkish law does not regulate cryptoassets, cryptocurrencies, cryptocurrency wallets, initial coin offerings (ICOs), stablecoins, or cryptoasset platforms, exchanges or custodians.

Cryptoassets do not fall within the existing regulatory and legislative framework.

13. Have specific anti-money laundering measures been introduced in relation to cryptoasset activities?

The Financial Crimes Investigation Board (Mali Suçları Araştırma Kurulu) (MASAK) has the authority to block suspicious transactions and freeze assets until further review.

MASAK does not categorically classify all transactions relating to cryptocurrencies as “suspicious transactions”, but conducts additional tests based on the frequency and amount of transactions, and the client’s financial profile. Interpretive guides published by MASAK provide the following two examples of transactions that are deemed suspicious:

• Transfers from a client’s account, at a frequency and in amounts inconsistent with the client’s profile, to the accounts of persons, entities or cryptocurrency exchange markets either in or outside Turkey, for the purposes of buying cryptocurrency.

A transfer to a client’s accounts suspected to be the result of a sale of cryptocurrency, either whose source is unknown or which is inconsistent with the financial profile of the client.

Distributed ledger technology solutions

14. How is the use of blockchain in the financial services sector regulated?

Blockchain-related activities and cryptocurrency-related transactions are currently not regulated under Turkish law (see Question 11).

However, there has recently been a more positive approach to the use of blockchain in the financial sector:

• As announced in the 2019-2023 Development Plan of the Republic of Turkey Presidency in July 2019 and the Annual Plan of the Republic of Turkey Presidency in November 2020, blockchain-based digital central bank money (blokzincir tabanlı dijital merkez bankası parası) is intended to be introduced.

• Istanbul Clearing, Settlement and Custody Bank (Takasbank) has developed a new blockchain-based transfer infrastructure platform: BiGa (abbreviated from “bir gram altın”, which stands for “one gram of gold” in Turkish). BiGa is currently being integrated with Takasbank’s gold transfer system, but it can also be used to transfer any other digitalised asset, as it is designed as a transfer infrastructure platform.

• Cryptocurrency exchanges and Bitcoin ATMs are also available in Turkey.

Financial services infrastructure

15. What types of financial services infrastructure-related activities of FinTech businesses are regulated?

There are no specific regulations addressing FinTech in Turkey, apart from legislation on payment entities and e-money entities. However, the regulators have issued rules on the use of technology and measures to be taken by institutions to ensure the security and efficiency of financial services infrastructure.

The BRSA requires banks to take all necessary measures to calculate, monitor, check and report risks that may arise from the use of information technologies (IT). Within this general framework, the BRSA provides for additional obligations applicable to internet banking and ATM machines due to the specific risks they pose to banks and customers (such as cybersecurity issues, risk of theft, attack, identity authentication issues and so on). When providing financial services through internet banking, banks must:

• Regularly monitor their security control processes.

• Implement appropriate and safe identity authentication mechanisms.

• Ensure that transactions are “undeniable” by both the party initiating the transaction and the party completing it.

• Regularly inform their customers of internet banking policies and procedures.

• Ensure continuity of the services and implement recovery plans in cases of service disruption.

For banking services provided through ATM machines, banks must take all measures against theft, fraud, and physical attacks that may target ATM customers, and raise awareness for the secure use of ATMs.

As a general obligation, banks must:

• Take necessary measures to maintain the confidentiality of transactions (and of data stored, processed, transferred) effected through IT systems.

• Regularly inform their customers of the general use and risks of digital banking, as well as security measures taken by the bank.

• Implement a mechanism to monitor customer complaints.

The Central Bank imposes similar obligations on payment entities and e-money entities. These entities must prepare a risk management policy and detect, analyse, monitor, control and report all risks arising from the use of IT. They must take all necessary measures to ensure data confidentiality and security and implement mechanisms for identity authentication.

CMB Communiqué No. VII-128.9 on Management of Information Systems, which entered into force on 5 January 2018, contains rules governing management, security, sustainability and efficient operation of information systems of various capital markets institutions, including:

• BIST.

• Pension funds.

• Istanbul Clearing, Settlement and Custody Bank (Takasbank).

• Central Securities Depository.

• Capital markets institutions.

• Public companies.

The management of information systems is deemed to be a part of corporate governance practices.

Similar to the Central Bank regulations with regard to payment and e-money entities, the CMB requires obligated entities to:

• Adopt an information security policy.

• Implement risk management procedures and processes.

• Conduct information system controls.

• Ensure network security, data confidentiality and secrecy of customer data.

• Take necessary steps for identity authentication.

The CMB provides for a two-tier information system, consisting of primary systems and secondary systems. Primary systems include all infrastructure, hardware, software and data allowing for safe and immediate access to all information required for the obligated entities’ activities. Secondary systems include primary system back-ups in cases of service disruptions. Entities must maintain both systems in Turkey.

The entities must also inform their customers of the risks of services offered through electronic means and of the security measures taken by them.

Regulatory compliance

16. What are the key regulatory compliance issues faced by FinTech businesses?

In addition to the banking and securities laws applicable to the FinTech sector, FinTech business must consider other regulatory compliance issues.

Consumer protection

 

Law No. 6502 on Protection of the Consumer (Law on Consumer Protection), which entered into force on 28 May 2014, provides the general framework for protecting the economic benefits of consumers and aims to raise awareness of consumer issues. Banks and other financial institutions that extend loans or issue credit/debit cards must inform consumers of any fees and expenses payable (other than relevant interest payments) regarding such loans in accordance with the secondary legislation issued by the BRSA.

The Law on Consumer Protection also includes principles and provisions applicable to the execution of contracts relating to financial services (including banking services, extension of loans, insurance, private pension system (bireysel emeklilik sistemi), investments and payments) using a communications device (for example, phone, internet, mobile applications). The consumer must be fully informed of their obligations under the contract and of their rights of termination. This information must be presented in a manner that is:

• Clear.

• Understandable.

• Compatible with the communications device that is being used.

The entity providing the financial services must ensure that all necessary records are kept of the referred communications.

In addition to general provisions, payment entities and e-money entities are subject to further regulations relating to their relations with their customers, record-keeping, and information security. These entities must execute a framework agreement with their customers containing, among other information:

• Identification of both parties.

• Scope of services to be provided.

• The process that will be used for approving a payment order and revoking that payment order.

• Determination of the time of placing a payment order.

• Operating hours of the payment system.

• Any foreign exchange rate/information on calculation of foreign exchange rate.

• Fees payable.

Additionally, these entities must store all relevant documents and records domestically in Turkey, in a safe and accessible manner, and take necessary precautions to prevent unauthorised access to such documents and records (Law on Payment Systems). Failure to comply with these requirements can result in criminal liability, and may be subject to payment of punitive fines and/or imprisonment.

Data protection

 

Law No. 6698 on the Protection of Personal Data (Data Protection Law), largely based on the Data Protection Directive (95/46/EC), was enacted on 7 April 2016 following the ratification of the Council of Europe Convention for the protection of individuals with regards to the processing of personal data and its related protocol.

Turkish companies must also comply with the General Data Protection Regulation ((EU) 679/2016) (GDPR) if they:

• Offer goods or services to data subjects in the EU.

• Monitor the behaviour of EU data subjects that takes place in the EU (such as using online tracking tools to profile an individual).

”Personal data” is defined as any information relating to an identified or identifiable person. The Data Protection Law does not provide specific examples of personal data. However, examples of personal data may include name, address, date of birth, email address and employment-related information. The Data Protection Law also provides for a separate list of “special personal data”, including information on:

• The appearance and clothing of a person.

• Criminal records.

• Biometric and genetic data.

This is especially important for today’s banking practices, where banks use biometrics (face recognition, retina scan, palm scan, among others) to verify the identity of their customers.

The Data Protection Law distinguishes between “data controllers” and “data processors” and sets out their respective responsibilities. A data controller (veri sorumlusu) determines the objectives of, and means for, processing data. A data controller is responsible for the establishment and management of the data recording system. A data processor (veri işleyen) processes personal data based on authority given by the data controller. Data controllers and data processors may be individuals or legal entities.

The Turkish Data Protection Authority (Turkish DPA) keeps a publicly available database (VERBİS) and requires all data controllers who process personal data in Turkey to be registered with VERBİS. The Turkish DPA has recently extended the deadline for the following data controllers to complete their registration with VERBİS to 31 December 2021:

• Legal entities with more than 50 employees annually, or whose annual total financial statement exceeds TRY25 million.

• Legal entities located abroad.

• Legal entities with less than 50 employees annually and whose annual total financial statement is less than TRY25 million, but whose main business is processing special personal data.

Data controllers who become subject to the registration requirement after the deadlines listed above (because they fulfil the registration criteria) must register with VERBİS within 30 days on falling within the registration criteria.

There may be a variety of reasons to process personal data. Processing must comply with the general principles set out in the Data Protection Law regardless of the purpose for processing. Accordingly, personal data must be processed lawfully, fairly and accurately and, where necessary, be kept up to date. Data collected must:

• Be for a specific, explicit and legitimate purpose.

• Be relevant and not disproportionate for the purpose for which it is being processed.

• Not be held for longer than is required for such purpose.

Processing requires the express consent of the data subject. The Data Protection Law provides for certain exceptions to the consent requirement, for example, if the processing is required explicitly by law or is directly related to the execution or performance of a contract (in this case, only the personal data of the contracting parties can be processed). The processing of special personal data also requires the data subject’s express consent or the existence of an explicit statutory exemption. Additionally, data controllers must take sufficient measures to protect special personal data. The Turkish DPA has published a list of measures, including the adoption of a separate policy for these data, regular training for employees and execution of confidentiality agreements with such employees, ensuring the security of the electronic platform or physical media where such data is kept, and taking additional security measures when transferring such data.

The transfer of data is subject to the same rules and exceptions as processing. Generally, no transfer can be made without the express consent of the data subject. Data can be transferred without consent under certain circumstances.

The same set of exceptions to the consent requirement applies to transfer of data. The transfer of personal data without consent is subject to further restrictions if the data is transferred outside Turkey. Data controllers can transfer personal data when either:

• The recipient country has an adequate level of data protection.

• There is a written agreement in place with the data controller or processor in the recipient country, if that recipient country does not have an adequate level of data protection. This written agreement must be submitted to, and approved by, the Turkish DPA.

While the Turkish DPA is still to announce the list of countries that will be deemed to have an adequate data protection level, it has announced the minimum required content of written agreements.

A data controller or its representative has disclosure obligations towards data subjects, which include the identity of the data controller or its representative, reasons for processing, to whom the data may be disclosed (the recipient), and for what purpose.

Data controllers must take any required administrative and technical precautions to maintain the necessary level of data security.

If data is processed by another individual or legal entity on behalf of the data controller, the data controller is jointly responsible with the processor for taking such precautions. Data controllers and processors cannot disclose personal data if not required by law, nor use such data for a purpose other than the defined purpose of collection. Data controllers must carry out necessary monitoring and audits to ensure compliance.

Anti-money laundering/counter-terrorist financing and know your client requirements

 

MASAK is the main authority regulating know your client (KYC), anti-money laundering (AML), and counter-terrorist financing requirements.

MASAK imposes certain obligations on financial institutions and some professional organisations, including banks, capital market institutions, insurance companies, payment companies and e-money companies. These obligated institutions must, among other things:

• Implement KYC /customer identification mechanisms.

• Report suspicious transactions for AML purposes.

• Draw up and implement compliance programmes, including appointing compliance officers and setting up internal audit, control and risk management systems.

MASAK and the IT systems regulations impose KYC/know-your-customer requirements on financial entities.

17. When traditional financial services firms and FinTech firms enter into partnerships or other arrangements, what are the key legal, regulatory and practical issues they need to consider?

There are no regulatory barriers preventing FinTech businesses from entering into partnerships or other similar arrangements with traditional financial services providers. Recently established FinTech businesses, such as start-ups and crowdfunded project entities, can co-operate with traditional service providers, such as banks and other financial institutions.

Many established banks in Turkey are promoting and supporting FinTech start-ups under angel-investment and incubation centre programmes.

Additionally, several local banks that have been providing internet banking services for over a decade have established websites that enable entrepreneurs and software developers to produce FinTech applications using that bank’s API. This provides start-ups with the opportunity to build FinTech tools using the bank’s existing technological infrastructure, providing higher integration of start-ups to the existing ecosystem, while promoting the bank’s financial infrastructure as a platform that is open to growth and collaboration. Recently, certain FinTech businesses have followed suit and allowed third-party developers and other users to use their APIs. 

18. Do foreign FinTech entities intending to provide services in your jurisdiction encounter regulatory barriers that are different from domestic FinTech businesses?

Under Law No. 4875 on Foreign Direct Investment, which entered into force on 17 June 2003, foreign investors and domestic investors must be treated equally. Accordingly, FinTech entities intending to provide services in Turkey must not encounter regulatory barriers that are different from those applicable to domestic FinTech entities.

Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to foreign FinTech businesses in the same way as they apply to domestic FinTech entities. These include, when applicable, obtaining an establishment and operating permit, and storing relevant documents and data domestically (that is, in Turkey). 

19. What steps can be taken in your jurisdiction to protect FinTech innovations and inventions?

Under the Law on Industrial Property No. 6769, the following categories of intellectual property could be used to protect FinTech innovations in Turkey:

• Patents or utility models. A patent is a form of monopoly protection provided for inventions that are technically complex and industrially applicable. A utility model is a form of weaker protection provided for inventions that are not complex enough to be registered as patents.

Industrial designs. An industrial design is a form of protection provided for original designs with unique characteristics created to technically complement a product in terms of its shape, size, colour, style, configuration, material, or any other specification or feature.

Government initiatives to support FinTech

20. To what extent has the government in your jurisdiction sought to create a more favourable regulatory environment for FinTech businesses?

Although not specifically targeting FinTech businesses and investments, the following help to create a favourable environment for FinTech businesses in Turkey:

• The Corporate Tax Law No. 5520 introduced a corporate tax exemption for inventions created through research and development (R&D), innovation or software development activities, provided that these inventions are protected by a patent or utility model under Turkish law. 50% of the gains derived from the lease, sale or transfer of such inventions is corporate tax exempt. The exemption also applies to indemnity or insurance claims payments arising from a breach of invention rights. In addition, if the invention is used in a product, the exemption applies to the gains derived from the sale of that product to the same extent as would be attributable to the invention itself.

• The Law No. 5746 on Supporting Research, Development and Design Activities and the Law No. 4691 on Technology Development Zones introduced incentive and support mechanisms for R&D activities (see Question 5).

• The Stamp Tax Law No. 488 exempts from stamp tax agreements and other documents of venture capital investment trusts (girişim sermayesi yatırım ortaklıkları) and venture capital investment funds (girişim sermayesi yatırım fonları) with regard to their venture capital investments.

On several occasions, representatives of the relevant ministries and regulatory authorities, including the BRSA, have stated that governmental authorities are working in co-ordination to provide for an ideal regulatory environment to foster the growth of the FinTech sector, while protecting members of the FinTech eco-system (including service providers and customers).

Under the 2019-2023 Development Plan announced by the Presidency in July 2019, action will be taken to further develop the FinTech sector in Turkey (some action has already been taken with the recent amendment to the Law on Payment Systems). Such action includes:

• Helping support a secure FinTech ecosystem based on international best practices, ensuring a level playing field among various entities.

• Developing a roadmap to promote the FinTech sector and co-ordinate implementation through a single public authority.

• Establishing the Istanbul Finance and Technology Base.

• Establishing the Payment and Electronic Money Institutions Association of Turkey.

• Providing a legal framework for open banking and aligning national legislation with the Payment Services Directive ((EU) 2015/2366) (PSD2).

• Introducing financial literacy classes in primary and secondary education and universities.

21. Are there any special regimes in place to facilitate access to capital for FinTech businesses?

There are funds made available by the Scientific and Technological Research Council of Turkey (TÜBİTAK) and EU-supported programmes, such as Horizon 2020, the EU’s programme for research and development. However, FinTech businesses have mostly relied on investment from angel investors, venture capital firms and banks.

The Council of Ministers Decree No. 2018/11662 dated 5 June 2018 sets out the procedure for transferring funds to venture capital funds that provide financing to companies and/or projects. FinTech sector representatives expect to receive a sizable portion of these funds. In January 2019, the Ministry of Treasury and Finance announced a plan to allocate funds of up to TRY400 million in the next five years and invited venture capital funds to apply for evaluation.

22. Is the government taking measures to encourage foreign FinTech businesses to establish a domestic presence?

The objective of the Turkish Government is to facilitate the growth of Turkish financial markets, including FinTech, to position Turkey (and especially Istanbul) as a finance hub for the Europe Middle East Africa (EMEA) region.

The establishment of the Istanbul Finance Centre (Istanbul Finans Merkezi), a finance hub that will host regulatory authorities, conventional finance institutions, and FinTech start-ups, is currently in progress. The Turkish Government’s intention is that, on its expected completion in 2022, the Istanbul Finance Centre will be another incentive for foreign FinTech entities to establish a presence in Turkey.  

Cross-border provision of services

23. Are there any special rules that affect the cross-border provision of financial products or services by both domestic and foreign FinTech businesses?

Domestic FinTech businesses

 

The following requires approval of the BRSA:

• Establishment of a foreign branch.

• Establishment of, or participation in, a foreign partnership by a bank primarily established in Turkey.

(Banking Law.)

Accordingly, banks may need to obtain BRSA approval to provide cross-border financial products or services.

There is no blanket provision covering all domestic FinTech businesses with regard to their cross-border activities. Therefore, there are no special rules that affect the cross-border provision of financial products or services by domestic FinTech businesses. In fact, several payment entities, and a payment platform established in Turkey, are already providing cross-border services.

Foreign FinTech businesses

Regulatory requirements and minimum eligibility criteria that are set out under relevant legislation apply to all FinTech businesses operating in Turkey. These businesses may be required to obtain permits from relevant regulatory authorities and to store relevant documents and data domestically (that is, in Turkey).  

The future of FinTech

24. What regulatory measures or initiatives may affect FinTech in your jurisdiction in the future?

In its statement dated 11 January 2018, the Financial Stability Committee stated that a working group comprised of all relevant ministries and regulatory authorities would be formed to draft a legal framework for cryptocurrencies and blockchain-related activities. The Ministry of Treasury and Finance’s statement of 1 March 2021 does not explicitly refer to the drafting of a legal and regulatory framework. However, market participants have interpreted the statement as signalling impending proposals in this area (see Question 11).

The Head of the Central Bank has stated that developments regarding digital currencies are followed closely by the Central Bank, and “if designed correctly, such digital currencies may contribute to financial stability”. Turkey is also preparing to launch a blockchain-based digital central bank money (blokzincir tabanlı dijital merkez bankası parası) (see Question 14).

Following the entry into force of PSD2 (see Question 20) in the EU, Turkey has taken steps towards open banking and has enabled the provision of payment initiation and account information services with a recent amendment that entered into force on 1 January 2020 (see Question 7). With the advancement of open banking, the authors also expect that further regulations will be introduced on both data protection/privacy and combating financial fraud.

On 12 November 2020, the Central Bank announced a new retail payment system called FAST (the acronym of “Instant and Continuous Transfer of Funds” in Turkish). The new payment system will:

• Allow for 24/7 funds transfers among Turkish banks (the current system operates from 9am to 5pm on working days).

• Provide shorter transaction times.

A pilot run of FAST started on 18 December 2020, following which it will be gradually put into full service.

FinTech investments in Turkey have been channelled principally through the banking industry and payment systems. As new areas of interest emerge, such as blockchain, robo-advisory and alternative crowdfunding activities, new rules and regulations are expected to be introduced.

 

---

Contributor profiles

 

Ekin İnal, Partner

İnal Ünver Attorney Partnership (in association with Norton Rose Fulbright in Turkey)

T +90 212 386 1317

F +90 212 269 3835

E ekin.inal@inalunver.com

W www.inalunver.com

 

Professional qualifications. Admitted to the Istanbul Bar Association, 2007; admitted to the New York Bar Association, 2012

 

Areas of practice. Corporate; mergers and acquisitions; securities; banking and finance; project finance; energy and infrastructure.

 

Non-professional qualifications. Galatasaray University, LLB with honours, 2006; Columbia University, LLM, 2010

 

Languages. English, Turkish, French

 

Professional associations/memberships. Member of Galatasaray University and Columbia University Alumni Associations; member of GÜNDER (International Solar Energy Society – Turkey section) and TÜREB, Turkish Wind Energy Association.

 

H. Alper Tüzün, Associate

İnal Ünver Attorney Partnership (in association with Norton Rose Fulbright in Turkey)

T +90 212 386 1303

F +90 212 269 3835

E h.alper.tuzun@inalunver.com

W www.inalunver.com

 

Professional qualifications. Admitted to the Istanbul Bar Association, 2016

 

Areas of practice. Corporate; mergers and acquisitions; securities; banking and finance; project finance; energy and infrastructure.

 

Non-professional qualifications. Koç University, LLB, 2015; Koç University, BBA, 2016 (Double Major)

 

Languages. English, Turkish