In Turkiye, digital banking has become a hot topic in relatively recent times after the introduction of the Regulation on the Operation Principles of Digital Banks and Service Model Banking (Regulation), published in the Official Gazette dated December 29, 2021, issued by the Banking Regulation and Supervision Agency (BRSA).
The regulation sets out the principles and procedures of the operations of digital banks and service model banking in Turkiye. It regulates the activities and requirements for both digital banking and banking as a service (BaaS). To operate in Turkiye, digital banks must obtain an operating license from the BRSA (similar to a regular bank), subject to the requirements provided under the Regulation and the Regulation on Indirect Shareholding and Transactions Subject to Permission of Banks published in the Official Gazette dated November 1, 2006. These general requirements include rules on capital adequacy ratios, management structure, internal control systems, information technology infrastructure, and business plans.
As for the special requirements for digital banks under the Regulation, first, digital banks must have a paid-in capital of at least TRY 1 billion (approximately EUR 50 million), which is extremely high in comparison to the minimum capital requirement for conventional banks (TRY 30 million corresponding to approximately EUR 1.5 million). This high capital requirement aims to ensure that digital banks have enough financial strength and stability to operate without physical branches. However, it may also create a barrier to entry for new players who want to enter the market with lower costs and more flexibility. In comparison, other jurisdictions that have introduced regulations for digital banks, such as Singapore or Hong Kong, have set much lower capital requirements starting from SGD 15 million (approximately EUR 9.5 million).
Moreover, digital banks can only extend loans to financial consumers and small and medium-sized enterprises, with some exceptions for foreign currency loans to larger enterprises. These aim to prevent excessive risk-taking by digital banks and to protect their financial stability. Digital banks also cannot provide physical custodian services other than those provided through digital mediums, such as electronic wallets or cards. This means that digital banks cannot accept cash deposits or withdrawals from customers. Finally, digital banks must maintain at least one physical office for customer complaints. The physical office must be located at the headquarters of the digital bank and must be accessible to customers during working hours. These requirements aim to ensure a certain level of accountability and customer service for digital banks.
BaaS is another concept introduced to Turkish law by the Regulation, and it allows service banks to provide banking services to customers through interface developers, who are normally non-bank platforms such as financial technology companies and e-commerce service providers. In theory, it also allows customers to access multiple banking services through a single platform.
According to the Regulation, the agreement between the service bank and the interface developer must be approved by the BRSA to take effect, and meet the strict requirements outlined in the Regulation. Apart from the agreement, the Regulation mostly focuses on data privacy in the BaaS. In this context, the interface developer is required to obtain consent from its customers before accessing their banking information or performing transactions on their behalf and must also inform its customers in some respects, such as their role in the system, obligations, and fees. Finally, the Regulation strictly forbids banks from acting as interface developers.
In conclusion, digital banking and banking as a service (BaaS) are two concepts that have been introduced to Turkish law relatively recently by the Regulation, and the practice is still yet to fully catch up. While the Regulation aims to regulate the activities and requirements of digital banks and service banks in Turkiye, it may also pose some legal and commercial challenges and risks with the high capital requirements, strict requirements for the contract, and potential data privacy issues. It is yet to be seen whether the Regulation will be sufficient or compatible with the rapidly evolving technological developments and customer expectations in the financial sector, and it is vital for both regulators and market players to monitor the implementation and impact of the regulation closely and to adapt accordingly in the near future.
By Zahide Altunbas Sancak, Partner, and Yasemin Keskin, Senior Associate, Guleryuz and Partners
This article was originally published in Issue 10.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.