Central Bank Guidelines On Open Banking Service – Financial Services


To print this article, all you need is to be registered or login on Mondaq.com.

Recent Developments

Last October, the Central Bank of the Republic of Türkiye
(the “CBRT“) published the guidelines (the
Guidelines“) aiming to ensure
compliance with the legislation and uniformity in operating
licenses to be granted by the CBRT by correlating the payment
services regulated under the Law No. 6493 on Payment and Securities
Settlement Systems, Payment Services and Electronic Money
Institutions (the “Law“) and the
Regulation on Payment Services and Electronic Money Issuance and
Payment Service Providers (the
Regulation“) with the business models
in the field of payments. You can access our newsletter dated
October 10, 2022 regarding the Guidelines here.

This time, on December 30, 2022, the CBRT published the
Guidelines on Data Sharing Services for Payment Services (the
DSSPS Guidelines“), which provide
detailed information on (i) Payment Order Initiation Service and
(ii) Account Information Service, referred to as Data Sharing
Services for Payment Services (the
DSSPS“), regulated by the Law and the
Communiqué on Information Systems of Payment and Electronic
Money Institutions and Data Sharing Services of Payment Service
Providers in Payment Services Area (the
Communiqué“).

The DSSPS Guidelines provide detailed explanations as to whether
certain frequently used business models in the field of payments
require an operating license for payment order initiation services
and account information services, and the licensing and technical
certification process. However, the DSSPS Guidelines state that
evaluations elaborated thereunder only provide general framework
and final evaluations will be subject to review of the CBRT upon
official applications for operating licenses. You can access the
DSSPS Guidelines here.

What’s new?

Exemplary Business Models and Respective Evaluations within the
Scope of the DSSPS Guidelines

1. Account Information Services

As elaborated in the Communiqué, Account Information
Service is defined as presentation of the data collected by the
Account Information Service Provider licensed within the scope of
the payment services from payment service user’s accounts with
different Account Service Providers. Institutions providing such
services are required to obtain an operating license from the CBRT
in accordance with subparagraph (g) of the first paragraph of
Article 12 of the Law.

The DSSPS Guidelines shed light as to whether an operating
license is required for various business models implemented in the
sector. In this respect, the following criteria are taken as a
basis for identifying a service as an “Account Information
Service”:

  • If the service provider enters into direct agreements with the
    account service providers in order to receive responses to the
    inquiries they pose with certain frequencies through their own firm
    infrastructure, and if the service provider directly deals with the
    account service providers and they are
    technically/administratively/legally liable to these parties and
    client data is directly transmitted by the account service
    providers to the service provider that will provide account
    information services, the service in question is considered Account
    Information Service and requires an operating license under the
    Law.

  • If the service provider does not enter into a direct legal
    relationship with the account service providers where the client
    accounts are held, but instead the client signs a web services
    protocol with the account service provider and shares the account
    activity data with the service provider itself, the service
    provider’s efforts are not considered Account Information
    Service.

It is also stated that whether the client accesses the Bank with
an IP belonging to the client or to the service provider does not
change the evaluation. The situation must be evaluated within the
scope of outsourcing services by a technology company by the
client, the legal/contractual counterparty of the bank being still
the client.

  • The DSSPS Guidelines do not consider it a payment service for a
    technology firm to sell white-labeled software or lease a license
    for such software that is used for consolidating web services for
    the purpose of providing its customers with “Account Activity
    and Online Bulk Transfer Web Services” related to the
    customers’ accounts with account service providers. The service
    in question is considered as a technical service.

In addition, it clarifies that if the client is a holding
company, the access of its holding companies with a single IP is
considered within the scope of the DSSPS and there is no need to
obtain a license and they may rely on the exemption in the Law
regarding payment services that are realized between the parent
company and its subsidiaries or between the subsidiaries that are
not intermediated by any payment service provider other than a
company belonging to the same group.

2. Payment Order Initiation Service

The DSSPS Guidelines define a payment order initiation service
as intermediation by a licensed Payment Order Initiation Service
Provider of payment service users to place a payment order for
payment from a payment account before another payment service
provider.

Accordingly, the DSSPS Guidelines clarify whether an operating
license is required for various business models implemented in the
sector as follows:

  • If the service provider enters into direct agreements with the
    institutions where their clients’ accounts are held and are
    direct counterparties to these institutions being
    technically/administratively/legally liable to them, the service in
    question is considered Payment Order Initiation Service and
    requires an operating license under the Law.

In addition, if the payment institution obtains the client’s
account information (balance, account activities, etc.) from the
relevant Account Service Providers and provides it to the client,
it must also obtain an operating license from the CBRT for the
Account Information Service.

  • The payment flow, in which a payment institution stores its
    clients’ bank cards in the digital wallet offered by the
    payment institution and the payment institution acts as an
    intermediary for the clients to transfer funds from their cards in
    this digital wallet (from the linked payment account) to the
    payment institution’s contracted merchant account using the
    payment institution’s application, is considered Ppayment Order
    Initiation service and requires an operating license under the
    Law.

Evaluations on Frequently Asked Questions

  • The DSSPS Guidelines clarify that service providers that
    currently provide Account Information Service and/or Payment Order
    Initiation Service, but have not applied to the CBRT for an
    operating license for these services, may continue to operate as
    the representative of an institution that has obtained an operating
    license, as long as they comply with the provisions of the CBRT
    Instruction dated December 13, 2021 on “Contracts”,
    particularly the contracts to be concluded with the client, and the
    provisions regarding representation of the Regulation and
    Communiqué.

  • Banks’ online account statement sharing services are also
    considered Account Information Services. In case such service is
    provided through technology companies (assuming they have direct
    agreements with these companies), it is considered that the
    technology companies providing the said service must also obtain a
    license.

  • Pursuant to the Regulation, payment institutions can provide
    information services for the accounts of legal entities and
    merchants that are not considered payment accounts, regarding their
    administrative and operational processes. DSSPS Guidelines state
    that if the validity of the consent for processing of
    customer’s account information expires or the customer removes
    their consent, their data may continue to be stored with the
    customer’s approval. However, the DSSPS Guidelines emphasize
    that data other than audit trail data must be deleted if the
    relationship between the customer and the payment organization is
    terminated.

  • DSSPS Guidelines regulate that counterparty information such as
    Turkish identity number, tax identification number, IBAN and
    account number can only be displayed by masking.

  • The DSSPS Guidelines clarify that the Account Information
    Service and the Payment Order Initiation Service are not
    prerequisites for each other. In this regard, a license application
    can be applied separately only for Account Information Service or
    only for the Payment Order Initiation Service, or for both at the
    same time.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Finance and Banking from Turkey

New PRIIPs Requirements In 2023

KPMG in Cyprus

Many European fund managers have benefited from transition periods since the PRIIPs regulation was first introduced in 2018, but all things come eventually to an end: From 1 January 2023…

Source link

Share This
COMMENTS

Leave a Reply

Your email address will not be published.