Guideline for Service Providers Offering Community Cloud Services is Updated
Developments in the fintech ecosystem, which is of critical importance specifically for regulated sectors, brought many regulations. As known, in accordance with Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Act), which is the main legislation for payment systems and payment service providers, the authority had been transferred from Banking Regulation and Supervision Agency to the Turkish Central Bank (TCMB).
As a glance to the background of it; Communique on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (Communique), which is among the eagerly anticipated regulations of the financial sector, had come into force on 1 December 2021. Communique has been regulating the procedures and principles regarding the activities of payment and electronic money institutions.
Communique stipulates that payment and electronic money institutions may outsource all or part of their information systems, provided that they fulfil the obligations under the Act and the relevant legislation. As per the Communique, sensitive customer data, competition-sensitive data, personal data, or any information that can be associated with the customer and makes them specific or identifiable may only be obtained through a private cloud service model offered over hardware and software resources allocated to the relevant payment and electronic money institution. However, payment and electronic money institutions may outsource through the community cloud service model, where hardware and software resources are physically shared but a separate resource is assigned to each payment service provider, if such service is provided by external service providers deemed appropriate by the TCMB. Moreover, outsourcing is possible provided that the relevant hardware and software resources are allocated to other credit institutions or financial institutions that are regulated and supervised by a competent authority within the framework of the legislation and that TCMB grants approval to the outsourcing service provider offering such service.
In this context, TCMB updated its guideline on external service providers offering community cloud services (Guideline 1.0) and published the Guideline on External Service Providers Offering Community Cloud Services to Payment and Electronic Money Institutions version 1.1 (Guideline) on 24.04.2023.
Guideline includes four main topics: Conditions that external service providers that will provide community cloud services must fulfil in order to obtain TCMB's permission and the actions to be taken regarding the application, evaluation and supervision processes.
Guideline states that a payment system and securities settlement system operator and a private law legal entity in which the system operator is the main shareholder may also be a community cloud service provider.
According to Guideline 1.0., outsourcing service providers could not outsource the activities related to the community cloud service itself, whereas according to Guideline, an outsourcing service provider may outsource the community cloud service provided that it is provided by its parent, subsidiary or third parties affiliated with its parent. Moreover, the types of certificates that outsourcing service providers are required to have, have been updated and detailed.
In Guideline, under the heading "Application of the Guideline", it is stated that applications that have not yet been finalised shall be evaluated according to Guideline version 1.0. However, outsourcing service providers that were granted conformity granted before 30 April 2023 are obliged to comply with version 1.1 of the Guideline until 31 December 2023.
TCMB has already authorised only four companies to provide community cloud services. Firms that seek to offer community cloud services and have not yet submitted their applications must fulfil the requirements set out in the Guideline.
You can reach the full text of Guideline published by the TCMB here (only available in Turkish).