The massive increase in the internet usage and the use of mobile applications have boosted the expansion of e-commerce market both worldwide and in Turkey, leading to the dominance of online and cashless solutions for transactions. Despite the rapid growth and development, payment services are still a relatively niche industry in Turkey, attracting many overseas fintech companies specialized in this field.
The legal basis for the principles and procedures regarding payment services is the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions No. 6493 (the “Law”), which has been in force since June 2013, together with a series of secondary legislation. Mirroring the standards set out under the EU Directives 2007/67/EC and 2009/110/EC, the Law introduced two new types of payment service providers: the Payment Institution (“PI”) and the Electronic Money Institution (“EMI”).
By definition, a Payment Institution is a legal entity that has been granted authorization to provide and execute the payment services defined by law, whereas an Electronic Money Institution is a legal entity that has been granted authorization, in addition to providing and executing payment services, to issue electronic money.
This article provides a basic overview on the scope of services, licensing requirements and compliance obligations of PIs.
Scope of Services
Along with the other payment service providers (i.e. Banks, the National Postal Services Company, and EMIs), PIs are able to offer and render the following services;
♦ Services enabling cash deposits/cash withdrawals on a payment account
♦ All operations required for operating a payment account
♦ Execution of payment transactions, including;
(a) direct debit transactions, including one-off debits
(b) payment transactions via a payment card or a similar device
(c) transfer of funds, including standing orders
♦ Money remittance
♦ Execution of payment transactions where;
(a) the consent of the payer to execute a payment transaction is given via an IT or electronic communication device, and
(b) the payment is made to the IT or network operator, acting only as an intermediary between the user and the supplier of the goods/services.
♦ Intermediary services for utility bill payments
On the other hand, a PI may not engage in any commercial activity that is outside the scope of services listed above, except for (i) conducting FX transactions for providing payment services, and (ii) operating payment systems.
Furthermore, a PI is expressly prohibited from offering the services which can be provided exclusively by banks and financial institutions, i.e. accepting deposits and granting loans. In addition, PIs cannot use expressions in their documents, advertisements and public announcements, which may create an impression that they serve as a bank or act on behalf of banks.
The operation license of a PI is granted by the Banking Regulatory and Supervision Agency (“BRSA”). In order to obtain the operation license, a PI must fulfill a number of conditions, which are as follows:
First, the PI should be incorporated in Turkey in the form of a joint stock company. That means companies which were established in jurisdictions other than Turkey or their branches in Turkey cannot apply for a PI license.
The paid-up capital of the company should not be less than 2,000,000 TRY. It must be paid in cash and free from any sort of encumbrances. The minimum paid-up capital shall be 1,000,000 TRY for PIs providing solely intermediary services for utility bill payments.
All shares of the company must be issued in exchange for cash and in the form of registered shares.
Foreign real and legal persons including banks and financial institutions may be shareholders in a Turkish PI. Shareholders who hold 10% or more of the shares and controlling rights must meet the same qualifications required for being a bank founder as laid down in the Banking Law no. 5411. To name a few, such shareholders should have no serious criminal background, have the necessary financial strength and credibility, have the necessary honesty and competency required for the business, and, in case of a legal entity shareholder, have an open and transparent shareholding structure.
The company is required to have a sound and prudent management as well as adequate personnel and technical equipment, and to establish departments handling complaints and objections to be asserted by users. It should also take the necessary measures for the continuity of the operations, and for security and privacy of the funds and information relating to users.
Last but not least, the company should have a transparent shareholding structure and organizational chart that will not hinder the efficient supervision of BRSA.
Applications shall be made to BRSA, accompanied by information and documents evidencing the fulfillment of the eligibility requirements and qualifications mentioned above. The required documents notably include; board of directors’ resolution, activity program, business plan, financial statements, and independent audit report. In case the applicant company is an affiliate or subsidiary of a non-Turkish bank or financial institution, further documentation with regard to such bank/financial institution (e.g. resolutions of the competent organs, consolidated independent audit report, permission of the regulatory authority, etc.) is required.
Upon submittal of the application file, BRSA shall assess the applicant’s eligibility for licensing, in light of the opinion to be taken from the Central Bank of Turkey. The assessment process shall be completed within 6 months following the date of application. If the application is successful, the PI should commence its operations within 1 year following the issuance of the license and inform BRSA of the date of inception.
As is the case with licensing, BRSA holds the authority to supervise PIs in respect of their organization and activities. In this regard, BRSA is entitled to conduct on-site inspections and distant surveillance activities. To be able to function in compliance with multitudinous operational requirements, PIs should have a robust corporate governance and devise a clear organizational structure, adequate internal control and risk management mechanisms in proportion to the volume, nature and complexity of the business.
The board of directors of the PI must consist of at least 3 members, including the CEO of the company. Board members and the CEO should possess the qualifications required for being a bank founder as set out in the Banking Law no. 5411. The CEO must have a bachelor’s degree and at least 7 years of professional experience in the field of business administration or finance.
The appointment, resignation and dismissal of the board members or of the CEO must be notified to BRSA within one month of the date thereof.
Internal Control and Risk Management
PIs are required to establish both internal control and risk management departments separately, and employ at least one personnel for each department since duties relating to internal control and risk management cannot be carried out by the same person as per the regulations. Such personnel have to conduct their duties without assuming an executive role, and serve directly under the supervision of the board of directors or one of the board members other than the CEO.
The formation of the above departments as well as the designation of the concerning personnel and definition of their duties, powers and responsibilities should be realized prior to the license application.
Share Acquisition and Share Transfer
Share acquisitions and share transfers above the specified thresholds as well as other certain transactions are subject to permission to be granted by BRSA. These are;
► Direct or indirect acquisition of 10% or more stakes in the company;
► Acquisitions whereby a shareholder’s direct or indirect ownership of stakes in the company exceeds 10%, 20%, 33%, or 50%;
► Transfers whereby a shareholder’s direct or indirect ownership of stakes in the company falls under 10%, 20%, 33%, or 50%;
► Creation or termination of usufruct rights over 10%, 20%, 33% or 50% of the voting shares.
The issuance or transfer of privileged shares granting right to nominate a board or audit committee member are also subject to BRSA permission, regardless of the percentage of such privileged shares. Furthermore, share transfers which result in a change of control in a legal entity shareholder having 10% or more stakes in the PI are required to be permitted by BRSA.
All transferees taking part in the abovementioned transactions should as well possess the qualifications required for being a bank founder.
Turkey has a very well-developed financial services infrastructure and continuously invests in new technologies and automation. The applicable legal framework regarding payment services is largely in line with the EU standards, and with the introduction of PIs and EMIs to the payments ecosystem, the payment services industry is expected to grow expeditiously in the near future. As there are still relatively few players participating in the payment services market, foreign payment service providers can quickly achieve a good market penetration in Turkey.