Critical Changes from TCMB for Payment and Electronic Money Institutions
Central Bank of the Republic of Turkey (TCMB) published the “Regulation Amending the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers” (Amendment Regulation) and the “Communiqué Amending the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services” (Amendment Communiqué) in the Official Gazette dated 7 October 2023.
The relevant regulations include detailed and comprehensive regulations on plenty of topics. In particular, the regulations on the definition of digital wallet service and remote identification of payment institutions are critical.
We have compiled the main changes in the Amendment Regulation for you below:
Digital Wallet Services
Pursuant to the Amendment Regulation, the procedures and principles regarding “digital wallet” services were regulated for the first time in the legislation. Accordingly, a digital wallet is defined as “a payment instrument that is offered as an electronic device, online service or application where the information related to the payment account or payment instrument defined by the customer is stored, and which enables the customer to perform payment transactions using the information related to the payment account or payment instrument defined by the customer”.
The Amendment Regulation also regulates that digital wallet services can be offered by payment service providers (PSPs) and the services that are not considered as digital wallet services.
In this context, providers wishing to offer digital wallet services must at least be authorized for “issuance of payment instruments”. In addition, specific wallet services that must also be authorized for “electronic money issuance” and “payment order initiation services” were also specifically regulated.
Pursuant to the Amendment Regulation, payment and electronic money institutions offering digital wallet services but not authorized by TCMB before 7 September 2023 must apply to TCMB and obtain the necessary authorization by 7 September 2024.
In addition, payment and electronic money institutions offering digital wallet services before 7 September 2023 and authorized by the TCMB are required to comply with the relevant provisions until 7 September 2024.
Payment Order Initiation Service
Payment order initiation services were regulated under payment services. With the Amendment Regulation, certain
situations that should or should not be considered as payment order initiation services are regulated. Hence, some uncertainties in practice have been eliminated. In this context, in order for a payment transaction to be considered as a
payment order initiation service, the party initiating the payment transaction must use a PSP other than the PSP where
its payment account is located.
However, for payment transactions initiated by the sender through the payee, if the sender does not use a PSP other than the PSP where its payment account is located to place the payment order, but only through the custody of a payment instrument issued by another PSP for the purpose of loading funds into the payment account at the PSP providing the service and the payment instrument issued by that PSP, this service will not be considered as a payment order initiation service.
Account and Infrastructure Services to be Provided to Other Payment Service Providers
The Amendment Regulation introduces several restrictions in the event that another payment service provider wishes to use the payment account or payment infrastructure services offered by a PSP, depending on the “controlling” status of the providers. In this context;
- In cases where the PSP is used by other PSPs, including a PSP over which it has control, it is required to provide services to all relevant PSPs under the same terms and conditions and with the same remuneration policy.
- In cases where a PSP offers payment account and infrastructure services, it will not be able to direct or coerce its customers to receive services from the PSP it controls in a way that would disadvantage the PSP it controls.
- Except for the services offered as an interface provider, the receiving PSPs will not be able to use expressions that may give the impression that they are acting on behalf of the controlled PSP in all kinds of documents, announcements, advertisements and public statements regarding the services they will offer.
Scope of Activities of Payment and Electronic Money Institutions
The Amendment Regulation expands the scope of activities of payment and electronic money institutions. Accordingly, institutions can offer services within the framework specified in the Amendment Regulation, including the provision and intermediation of transactions related to the purchase and sale of precious metals and precious stones and foreign exchange listed in the Decree No. 32 on the Protection of the Value of the Turkish Currency, and the provision of services as an interface provider regulated in the service model banking legislation.
Protection of Payment Funds
Pursuant to the Amendment Regulation, payment and electronic money institutions cannot pledge payment funds as collateral. However, all kinds of administrative and judicial requests such as injunctions, attachments and similar administrative and judicial requests regarding the rights and receivables of payment service users before the institution will be fulfilled exclusively by the institution.
In addition, institutions will monitor the funds collected in return for payment and electronic money by segregating them from other funds and will be able to use them only for the purpose of realizing the payment transaction. In addition, it is also regulated that the funds against electronic money will be provided by the payment and electronic money institution in a way to ensure customer-based tracking.
Additional Obligations Related to the Payment Instrument
Pursuant to the Amendment Regulation, the following additional regulations have been introduced for the mutual rights and obligations of the payment service provider and the customer:
- In case of issuance of a payment instrument compatible with more than one card issuer, the customer will be asked which card issuer the payment instrument will be issued compatible with, including all alternatives; the payment instrument will be issued compatible with the card issuer of the customer’s choice.
- Before and after the issuance of the payment instrument, the customer shall not be subjected to different practices according to the card issuer; the customer shall not be discriminated against based on the card issuer; the customer shall not be directed or forced to issue the payment instrument in compliance with a particular card issuer.
- It is stated that the payment service provider that accepts card-based payment instruments shall ensure that the devices, hardware and software used in acceptance activities are compatible with the card systems established by payment system operators authorized to carry out card system establishment activities and that payment instruments issued in compliance with these infrastructures can be used in the merchants to which it provides services.
These obligations of payment service providers will enter into force on 31 March 2024. You can reach the full text of the Amendment Regulation here (only available in Turkish).
The significant changes brought by the Amendment Communiqué are as follows:
Audit Trail Recording Systems
Audit trails refer to the records that will enable a financial or operational transaction to be tracked from the beginning to the end, and the records that show who accessed or attempted to access information assets and what transactions the user performed. Accordingly, the Amendment Communiqué stipulates that the records to be kept in audit trail recording systems should also include “the application, communication network protocol, time and source, and destination port and IP information where the access or transaction took place”.
External Service Procurement Process for Information Systems
Pursuant to the Amendment Communiqué, a supervised credit institution or financial institution, as well as its subsidiaries that provide information systems services, will be able to provide community cloud services to the parent, its subsidiaries and the subsidiaries of the parent.
In addition, it is regulated that the minimum elements of the outsourcing contract will be applied to the extent appropriate for service procurements that do not have the potential to affect the confidentiality, integrity and accessibility of data, do not cause sensitive customer data to be shared with the outsourcing service provider, and are not designed and offered specifically for the organization.
The Amendment Communiqué also stipulates that in the event that products and services to be procured within the scope of critical information systems and security are outsourced, utmost care should be taken to ensure that they are produced in Turkey or that the R&D centres of their manufacturers are located in Turkey. In addition, such providers and manufacturers are required to have response teams in Turkey, even if they are not located in Turkey.
Identification and Contract Processes to be Conducted via Remote Communication Tool
Pursuant to the Amendment Communiqué, the stages to be followed in remote identification and verification in the processes of identification and establishment of the contractual relationship to be carried out by means of remote communication have been re-regulated and their scope has been expanded. Accordingly, the Amendment Communiqué regulates the conditions for remote identification through “near field communication (NFC)”, how biometric data will be used, how white light control, and liveness tests will be performed and many details regarding security elements and clarifies the steps for remote identification.
Another significant change is that the information systems used in the processes to be carried out with remote communication tools are considered as “critical information systems”.
Pursuant to the Amendment Communiqué, two separate compliance periods are envisaged, one for 30 June 2024 and one for 31 December 2025, varying according to the characteristics of the services offered by the service providers. In this context, relevant providers are obliged to comply with the Amendment Communiqué until the deadline is set for them, according to the characteristics of the services they offer.
You can reach the full text of the Amendment Communiqué here (only available in Turkish).