Products Account InformationPayment InitiationVirtual POSPayment GatewayPay by LinkMarketplace PaymentsDirect Debit SystemReconciliationCard VaultCash Flow ManagementAdvisory & Licensing Solutions Business Finance E-Money / Wallet E-Commerce Industries KobAI Soon Pricing RESOURCES Documentation API Reference Open Banking Guide Security & Compliance Supported Banks Blog Success Stories About Contact
Log in Try Free
BLOG

Open Banking Regulation in Türkiye

Inspired by PSD1, which entered into force in the European Union for payment services, Türkiye’s law on payment services came into force on 27 June 2013 — Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the “Law”). With the secondary regulations that followed, the legal infrastructure of the digital world in banking and payment services was also established in Türkiye.

That Law underwent significant changes on 12 November 2019, effective from 1 January 2020. One of these was the introduction of new payment services. With that, the first step was taken to give a legal basis to open banking — a topic that had been on regulators’ agendas for some time. Through paragraphs (f) and (g) added to the first clause of Article 12 of the Law (which lists the types of payment service), open banking activities were envisaged, very similar to the rules in PSD2. In this context, “payment initiation service” was defined as “the service of initiating a payment order in relation to a payment account held at another payment service provider, at the request of the payment service user”; and “account information service” as “the service of presenting, on online platforms, consolidated information about one or more payment accounts held by the payment service user with payment service providers, provided that the user’s consent is obtained.”

It was thereby established that institutions providing payment initiation or account information services must be payment service providers under the Law and are subject to the obligations payment service providers must meet. For providers offering only account information services, we see that the requirements applied to other payment institutions — issuing shares for cash, all shares being registered, and minimum capital — will not be sought. Under the new amendments, the authority to regulate this area lies with the Central Bank of the Republic of Türkiye (the “Central Bank”).

In addition, the “Regulation on Banks’ Information Systems and Electronic Banking Services,” published on 15 March 2020 and entering into force on 1 July 2020, defines open banking services as an “electronic distribution channel through which customers, or parties acting on behalf of customers, can remotely access the financial services offered by the bank — via methods such as API, web service or file transfer protocol — to perform banking transactions or to instruct the bank to perform them,” and accepts them as one of the electronic banking services. As a natural consequence, rules similar to those under the RTS attached to PSD2 — such as authentication, transaction security, monitoring transactions against fraud risk, and informing customers — became applicable to open banking services as well. Unlike PSD2, however, this regulation imposes obligations only on banks, so the legislation does not yet determine the obligations that open banking service providers must meet. The obligations applicable to all payment service providers are expected to be set out in secondary regulations to be issued by the Central Bank. The new open banking rules must be issued within one year of 12 November 2019, the date the amendments to the Law entered into force — that is, by 12 November 2020. Because the Central Bank emphasised, during the committee discussions on the Law that first regulated open banking, the importance of setting standards for open banking, the relevant regulations are expected to address standardisation of APIs and similar interfaces.

Thanks to remote identification — one of the important provisions introduced by the Regulation entering into force on 1 July 2020 — it will be possible to identify new customers remotely, or to receive service via open banking from another bank that has previously performed identification. With these changes, in a country that has already made significant progress in delivering remote financial services to existing customers, the convenience of signing contracts remotely will also be provided for new customer acquisition by financial institutions, broadening the scope of transactions that can be carried out under open banking.

For now, whether banks in Türkiye will be required to share data with service providers has not been determined in legislation. However, within the current framework — unlike the original version of PSD2 — technical standards have been envisaged, albeit in a limited scope, and the technological framework for banks that will provide open banking services has to some extent been drawn. The Law gives the Central Bank the authority to regulate the procedures and principles for data sharing in open banking, and it is anticipated that the secondary regulations to be issued will determine under what conditions banks must share data with other payment service providers within open banking activities.

At this point, it is extremely important that the new open banking rules clearly draw the boundaries of data-sharing standardisation in line with banks’ expectations, set out measures to ensure data security, ensure that the obligations placed on fintech companies do not make entry into the system difficult, and include provisions supporting ease of use and data privacy for customers.

Back to home
FAQ

Frequently asked questions

Who regulates open banking in Türkiye?

In Türkiye, open banking and payment services are regulated primarily by the TCMB (Central Bank of the Republic of Türkiye) within the relevant legislation and data-sharing framework.

Is a license required for open banking?

The party providing account information (AIS) and payment initiation (PIS) services must be licensed. Kobaküs is an unlicensed infrastructure provider; a licensed partner holds these roles.

How does KVKK apply to open banking?

Personal financial data falls under KVKK: processing relies on explicit consent, a defined purpose and data minimization. Kobaküs is KVKK-compliant and processes data only within the permitted scope.

What is the role of BKM?

BKM (Interbank Card Center) and related national payment infrastructures play a role in operating interbank payment and data-sharing services; open banking works in harmony with these.

What are TCMB's data-sharing services?

It is the national framework that requires banks in Türkiye to offer standard, secure services for account information and payment initiation; licensed parties operate through these services.

Is Kobaküs compliant with Turkish regulation?

Kobaküs is an infrastructure provider compliant with technical standards (FAPI, OAuth, mTLS) and KVKK. Services that require a license are carried out through a licensed partner; we structure the right model together.