The Central Bank of the Republic of Turkey (“CBRT“) published the “Regulation Amending the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers” (“Amending Regulation”) and the “Communiqué Amending the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services” (“Amending Communiqué“) in the Official Gazette on 7 October 2023 . The Amending Communiqué and the Amending Regulation ( Except for the Article 23 of the Amending Regulation) entered into force on the publication date.
The amendments made to Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”) and Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in Payment Services (“ Communiqué”) through the Amending Regulation and the Amending Communiqué include regulations that are in line with the global implementations in the payment services and electronic money sector. .
Amendments in the Regulation
One of the most important changes made with the Amending Regulation is the introduction of the definition of “Digital Wallet.” With the newly adopted provisions in the Regulation, the digital wallet business model has been defined as: “a payment instrument that stores information related to the payment account or payment instrument identified by the customer, provided as an electronic device, online service, or application and enables the customer to make payments using the information related to the payment account or payment instrument identified by the customer., and it is obligatory to carry out digital wallet service within the framework of an operating license. ”
As per the amendments made to the Regulation it is been regulated that the digital wallet service may only be provided by payment service providers.
Furthermore the inclusion made by the Amending Regulation stipulates that individuals who provided digital wallet services before the effective date and could be included in the category of payment institutions or electronic money institutions established under the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493) are required to apply to the CBRT within one year to obtain the necessary licenses. For organizations with operating licenses under Law No. 6493 that provide digital wallet services, a one-year compliance requirement is also foreseen.
In addition, the definition of “card system organization” as defined in the Law No. 5464 on Debit and Credit Cards and services that facilitate, secure or increase the efficiency of payment services and which are not included in the scope of payment services as per the Law No. 6493 are defined as “qualified services” are added to the Regulation.
Another significant amendment in the Regulation is its alignment with the Financial Crimes Investigation Board (“MASAK“) regulations. The regulation regarding anonymous prepaid instruments stipulates that these instruments must remain within the monetary limits specified in the General Communiqué of the Financial Crimes Investigation Board published in the Official Gazette No. 26842 dated April 9, 2008.
The Regulation also establishes various obligations for payment service providers issuing payment instruments. According to the amendments, when issuing payment instruments that are compatible with more than one card system organization and the customer requests that the payment instrument be issued in a manner compatible with a specific card system organization, the payment instrument must be issued in a manner compatible with the card system organization requested by the customer. These provisions are scheduled to come into effect on March 31, 2024.
Furthermore, the Regulation expands the services and activities that institutions with operating license under Law No. 6493 can carry out.
Amendments in the Communiqué
The amendments made to the Communiqué are in parallel with the Regulation. In particular, the issues to act in accordance with the MASAK legislation and MASAK supervisory elements are regulated in more detail than the Regulation.
The Amending Communique includes the following: “Maximum care is taken to ensure that the products and services to be purchased within the scope of critical information systems and security are produced in Turkey or that the R&D centres of their manufacturers are located in Turkey, and this is considered as an important criterion in outsourcing. Such providers and manufacturers must have response teams in Turkey.”
Under the Article 16 of the Communiqué titled Management of the Outsourcing Process Regarding Information Systems.
The Communiqué also includes provisions on the technology and methodology regarding the processes of identification and establishment of the contractual relationship to be carried out by means of remote communication and these systems are included in the scope of critical information systems.
With the change made by the Amending Communiqué “competition sensitive data” phrase under the article titled Data Security and Privacy of the Communiqué has been deleted from the provision.
Thus, payment service providers’ obligation to encrypt competition sensitive data is abolished.
You can access the full text of the Regulation and Communiqué from the link below.