Fintech Law: Türkiye - Part 4

The Turkish jurisdiction does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilised for protecting ownership rights over software. Copyright protection is a natural protection that is offered to the creator from the moment the property is offered or made available to the public. There is no application similar to that of a patent application that is required of a copyright holder.

In principle, pursuant to the Industrial Property Law No. 6769, unless otherwise agreed upon in special contracts executed between the employer and employee or the nature of work, the rights to any designs that were made by employees shall belong to the employer according to employees' job descriptions and obligations arising from the labour contract or owing to the experiences and operations of business organisation. For an invention to qualify as an 'employee service invention', it must be realised during the course of employment. The employee is obliged to report the invention to his or her employer in writing without delay.

There are two distinct regulations regarding the duty of confidentiality: Law No. 5411 governs the confidentiality of banking and financial information, and the Personal Data Protection Law (Law No. 6698) prohibits or sets limitations to the disclosure, processing and transfer of personal information, which would also include client information.

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers includes the term 'sensitive customer data' and defines it as personal data and customer security information used in issuing payment orders or verifying the identity of the customer, which, if captured or changed by third parties, may allow fraud or fraudulent transactions on behalf of the customer. In this context, fintech companies are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data and data belonging to themselves, in the procurement of external services.

In addition, with Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the CBRT is authorised to determine all procedures and principles regarding the service of presenting consolidated information regarding one or more payment accounts of the payment service user with payment service providers on online platforms, provided that the payment service user's approval is obtained and the payment order initiation service is offered for the payment account in another payment service provider at the request of the payment service user.

The Regulation for Disclosure of Confidential Information was published in the Official Gazette dated 1 January 2022. With the Regulation also referring to Law No. 6493, it is aimed at determining the scope, procedures and principles of the sharing and transfer of confidential bank and customer data. Furthermore, Article 73 of Law No. 5411 regulates the confidentiality obligation, exceptions and definition of confidential customer data.

The Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (the Guideline of Good Practices) was published on 5 August 2022 by the Personal Data Protection Authority. The purpose of the Guideline of Good Practices is to guide the data controller banks to carry out their personal data processing activities in accordance with the legislation and to set good practice examples within this framework. The issues include data processing agreements, which are to be made between the data controller and data processor, support services, affiliates and subsidiaries, open banking and situations in which the banks act as agents, have been evaluated within the scope of data controller-data processor relations.

The Guideline on Cookie Application has been published by the Personal Data Protection Board in June 2022. This guideline includes topics such as the definition of cookies and type of cookies in general, the relation between the Electronic Communication Law No. 5809 (ECL) and Personal Data Protection Law No. 6698 (PDPL), rules to be considered when using cookies, and cookies requiring or not requiring the granting of explicit consent.

Additionally, as per the Regulation on Banks' Information Systems and Electronic Banking Services, banks can benefit from cloud computing systems as an external service tool, provided that these systems are kept within Türkiye in accordance with the provisions of the Regulation. As per the Communiqué on Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions, payment institutions and electronic money institutions shall mandatorily have their primary and secondary systems located in Türkiye, and cloud computing must be within the scope of these systems. Guidelines for External Service Providers Offering Community Cloud Services to Payment and E-Money Institutions were published by the CBRT in July 2022, setting additional eligibility requirements for the external service providers wishing to offer services.

As per the Regulation on the Independent Audit of Information Systems and Business Processes, published in the Official Gazette dated 31 January 2022, auditing of the information systems and business processes of the institutions under the supervision and control of the BRSA shall be made by the independent audit firms.

The Turkish jurisdiction does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilised for protecting ownership rights over software. Copyright protection is a natural protection that is offered to the creator from the moment the property is offered or made available to the public. There is no application similar to that of a patent application that is required of a copyright holder.

In principle, pursuant to the Industrial Property Law No. 6769, unless otherwise agreed upon in special contracts executed between the employer and employee or the nature of work, the rights to any designs that were made by employees shall belong to the employer according to employees' job descriptions and obligations arising from the labour contract or owing to the experiences and operations of business organisation. For an invention to qualify as an 'employee service invention', it must be realised during the course of employment. The employee is obliged to report the invention to his or her employer in writing without delay.

There are two distinct regulations regarding the duty of confidentiality: Law No. 5411 governs the confidentiality of banking and financial information, and the Personal Data Protection Law (Law No. 6698) prohibits or sets limitations to the disclosure, processing and transfer of personal information, which would also include client information.

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers includes the term 'sensitive customer data' and defines it as personal data and customer security information used in issuing payment orders or verifying the identity of the customer, which, if captured or changed by third parties, may allow fraud or fraudulent transactions on behalf of the customer. In this context, fintech companies are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data and data belonging to themselves, in the procurement of external services.

In addition, with Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the CBRT is authorised to determine all procedures and principles regarding the service of presenting consolidated information regarding one or more payment accounts of the payment service user with payment service providers on online platforms, provided that the payment service user's approval is obtained and the payment order initiation service is offered for the payment account in another payment service provider at the request of the payment service user.

The Regulation for Disclosure of Confidential Information was published in the Official Gazette dated 1 January 2022. With the Regulation also referring to Law No. 6493, it is aimed at determining the scope, procedures and principles of the sharing and transfer of confidential bank and customer data. Furthermore, Article 73 of Law No. 5411 regulates the confidentiality obligation, exceptions and definition of confidential customer data.

The Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (the Guideline of Good Practices) was published on 5 August 2022 by the Personal Data Protection Authority. The purpose of the Guideline of Good Practices is to guide the data controller banks to carry out their personal data processing activities in accordance with the legislation and to set good practice examples within this framework. The issues include data processing agreements, which are to be made between the data controller and data processor, support services, affiliates and subsidiaries, open banking and situations in which the banks act as agents, have been evaluated within the scope of data controller-data processor relations.

The Guideline on Cookie Application has been published by the Personal Data Protection Board in June 2022. This guideline includes topics such as the definition of cookies and type of cookies in general, the relation between the Electronic Communication Law No. 5809 (ECL) and Personal Data Protection Law No. 6698 (PDPL), rules to be considered when using cookies, and cookies requiring or not requiring the granting of explicit consent.

Additionally, as per the Regulation on Banks' Information Systems and Electronic Banking Services, banks can benefit from cloud computing systems as an external service tool, provided that these systems are kept within Türkiye in accordance with the provisions of the Regulation. As per the Communiqué on Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions, payment institutions and electronic money institutions shall mandatorily have their primary and secondary systems located in Türkiye, and cloud computing must be within the scope of these systems. Guidelines for External Service Providers Offering Community Cloud Services to Payment and E-Money Institutions were published by the CBRT in July 2022, setting additional eligibility requirements for the external service providers wishing to offer services.

As per the Regulation on the Independent Audit of Information Systems and Business Processes, published in the Official Gazette dated 31 January 2022, auditing of the information systems and business processes of the institutions under the supervision and control of the BRSA shall be made by the independent audit firms.

Outlook and conclusions

The use of FinTech has increased over the past years in Türkiye and a dynamic ecosystem is established as financial technologies are transforming finance, business and transaction models and new regulations are being adopted at a constant rate. In 2024, a number of legislative changes are expected in response to sectoral needs and developments fintech. In addition to that, provision of regulatory sandboxes where fintechs can develop their products and services in a protected area are also expected to be provided by regulatory and supervisory authorities.

One of the most significant legal developments is expected in the regulation of cryptoassets in 2024 as the Grand National Assembly of Türkiye (TBMM) has put on its agenda the draft legislation to introduce regulations on cryptoassets to the Law No. 6362. New regulations are being adopted that enable the entry of new actors to the fintech market, increasing cooperation with the banking sector and facilitating the development of the fintech sector in Türkiye, such as the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers. At the end of 2022, the transition period regarding the provisions of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services for Payment Service Providers was extended until 30 June 2024 to enable the fintech sector actors to properly adapt to the new regulations.

The Turkish Payment Service and Electronic Money Association targets in 2024 to increase the recognition of Turkish Fintechs abroad. A Law on the Support for the Development of Data Centres, Cloud Computing and Platform Services is on the agenda; this is anticipated to have a positive effect on the fintech industry. Additionally, amendments to the Personal Data Protection Law are also anticipated.

Amendments to the Turkish Commercial Law and Law of Obligations regarding issues relating to the adaptation to developing technologies and digital transformation are also expected. It is expected that 2024 will be the year of embedded finance technology and regulation in fintech will increase accordingly.

The use of FinTech has increased over the past years in Türkiye and a dynamic ecosystem is established as financial technologies are transforming finance, business and transaction models and new regulations are being adopted at a constant rate. In 2024, a number of legislative changes are expected in response to sectoral needs and developments fintech. In addition to that, provision of regulatory sandboxes where fintechs can develop their products and services in a protected area are also expected to be provided by regulatory and supervisory authorities.

One of the most significant legal developments is expected in the regulation of cryptoassets in 2024 as the Grand National Assembly of Türkiye (TBMM) has put on its agenda the draft legislation to introduce regulations on cryptoassets to the Law No. 6362. New regulations are being adopted that enable the entry of new actors to the fintech market, increasing cooperation with the banking sector and facilitating the development of the fintech sector in Türkiye, such as the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services Providers. At the end of 2022, the transition period regarding the provisions of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers and the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services for Payment Service Providers was extended until 30 June 2024 to enable the fintech sector actors to properly adapt to the new regulations.

The Turkish Payment Service and Electronic Money Association targets in 2024 to increase the recognition of Turkish Fintechs abroad. A Law on the Support for the Development of Data Centres, Cloud Computing and Platform Services is on the agenda; this is anticipated to have a positive effect on the fintech industry. Additionally, amendments to the Personal Data Protection Law are also anticipated.

Amendments to the Turkish Commercial Law and Law of Obligations regarding issues relating to the adaptation to developing technologies and digital transformation are also expected. It is expected that 2024 will be the year of embedded finance technology and regulation in fintech will increase accordingly.