Account Information Service and Its Exceptions in Türkiye

As digitalization started to take place for banks, companies and individuals, and as the usage areas of the funds in deposit accounts, which can be considered as the first version of virtual money, diversified, technology companies started to witness the first examples of account information service (“AIS”) and payment order initiation service (“PIS”), which can be considered as a primitive compared to its current version.

In particular, instead of checking each account in each bank individually in order to carry out the accounting and reconciliation processes of holdings and companies holding accounts with multiple banks, they started to obtain account information by connecting to banks through their own internal resources or through third-party service providers, methods that can be considered as the ancestors of today’s Banking as a Service (“BaaS”).

Banks that did not or could not provide this infrastructure and individual users used methods known as screen scraping. Considering the needs of the digital age and the risks arising from the screen scraping method, account information service (“AIS”) started to be accepted as a licensed payment service in our country, as in many countries around the world, with the regulation made on 12.11.2019 in the Law №6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Law”). Our information note on the subject.

In this article, we would like to share that we have compiled the basic concepts and basic issues related to implementation examples within the framework of the Law and its secondary regulations and the guidelines of the Central Bank of the Republic of Türkiye in a question-and-answer format.

1. What is the Account Information Service?

With the regulation dated 12.11.2019, the account information service has been included in the Law as follows:

“Provided that the consent of the payment service user has been obtained, the service of providing consolidated information on online platforms regarding one or more payment accounts of the payment service user with payment service providers.”

When we consider the definition in the Law together with the other referenced definitions, account information service appears in the following forms;

• a natural or legal person (payment service user) benefiting from a particular payment service

• one or more banks, e-money institutions, payment institutions, PTT A.Ş.

• one or more demand deposit accounts, transaction accounts, credit card accounts, electronic money accounts, and accounts opened in name, which can be used to transfer funds to other persons without being linked to another account, except for accounts where temporary movements are monitored (Article 59/8 of the Regulation)

• providing of consolidated information on online platforms

In the Payment Services Directive II (“PSD II”), account information service is defined as:

an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider”

In the Payment Service Directive III (“PSD III”) and Payment Service Regulation (“PSR”) drafts shared with the public by the European Commission on June 28, 2023, the account information service is included as follows;

“an online service of collecting, either directly or through a technical service providerand consolidating information held on one or more payment accounts of a payment service user with one or several account servicing payment service providers”

This amendment may be considered as a reflection of the view of the regulatory authorities regarding the definition in PSD II that the technical service exception cannot be accepted for the account information service.

2. Which accounts are considered as “payment accounts”?

A payment account is defined in the definitions section of the Law and Regulation as “an account opened in the name of the payment service user and used for the execution of the payment transaction”.

With the regulation of the account information service in the Law, the need to more clearly define the framework of the payment account referred to in the definition of this service arose, and the eighth paragraph of Article 59 of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”), which entered into force on 01.12.2021 by the CBRT, addresses this need.

Scope of the payment account in the relevant provision of the Regulation;

– checking account,

– transaction account,

– credit card account,

– electronic money account, and

– accounts opened in the name of the payment service user, which can transfer funds to other persons without being linked to another account, other than accounts where temporary movements are monitored

and it is further stated that this scope may be expanded by the CBRT.

3. Who is the Account Servicing Payment Service Provider (ASPSP)?

The definition of Account Servicing Payment Service Provider (“ASPS”) is not included in the Law and the Regulation but can be found in the CBRT’s guidelines and is defined in PSD II as “a payment service provider that provides a payment account for the payer and maintains the service”.

For example, the bank, e-money institution or PTT A.Ş. that holds the payment account that the payment service user will subject to the account information service may be positioned as the account service provider.

4. Is the Account Information Service a payment service subject to a license (authorization to operate)?

Yes, it is. With the regulation made in the Law on 12.11.2019, the service of providing account information has been included among the payment services that can be performed with a license.

5. Is there any exception form of account information services exempt from license?

As a result of the amendments made to the Law and the Regulation, account information service is defined as

“Provided that the consent of the payment service user has been obtained, the service of providing consolidated information on online platforms regarding one or more payment accounts of the payment service user with payment service providers.”,

and it is regulated that persons who offer and will offer this service must apply to the CBRT and obtain an operating license.

Prior to 12.11.2019, persons providing account information services were obliged to apply to the CBRT and obtain the necessary permits within one year (“Transition Period”) starting from the publication date of the Regulation (01.12.2021).

29 days after the completion of the Transition Period, the CBRT published the Guidelines on Data Sharing Services in Payment Services (“Guidelines”), which includes the business models on which the sector representatives requested opinions.

The Guidelines discuss different business models and state that business models should take into account:

– the account service provider’s addressee relationship between the authorized payment service provider and the payment service user; and

– who has technical/administrative/legal responsibilities

In this context, the CBRT adopted a different view from that of the European Banking Authority (“EBA”) and partially* from that of the Financial Conduct Authority (“FCA”);

in case a payment service user;

– contracting directly with the account service provider,

– continue to legally receive the services provided by the account service provider directly from the account service provider; and

– to receive only technical services from a third party in this context

the CBRT did not accept the business model within the scope of Data Sharing Services in Payment Services and did not include it within the scope of account information services. It should be noted that the CBRT emphasized that this assessment should be considered on a business model-specific basis.

The CBRT has addressed 7 different business models in 3 main scenarios in the Guidelines, and these business models will be discussed below.

*The FCA has indicated that some scenarios that fall within the trust relationship may be covered by the exception.

6. A company (Y), through separate agreements with bank(s) and/or other payment service provider(s), obtains the information regarding the payment accounts of its customers at these account service provider(s) by means of queries made with certain frequencies through its own infrastructure in order to provide it to its customers.

According to the CBRT’s basic approach mentioned above, since the company (Y) enters into a direct contractual relationship with bank (U) and the technical/administrative/legal responsibilities under the contract are on company (Y), the business model is considered to be an account information service subject to a license.

7. Is it an account information service if the account holder obtains account information from the account service provider and shares it with a third party, and the information provided by the third party is consolidated and made available to the account holder?

Customer (S) of (K), a technology company, obtains payment account information from Bank (U) and transmits this information to (K) to provide value-added services. Upon receiving the information, company (K) consolidates and offers its value-added services to its customer (S).

According to the CBRT’s basic approach, in this workflow, (S) is the only company directly and solely related to (U) Bank, and the technical/administrative/legal responsibility lies with (S) Company. In this context, (K) company is considered as a technical service provider according to subparagraph ğ of the second paragraph of Article 10 of the Law and the service it provides is not considered as a payment service within the scope of the said exemption.

“Services provided by technical service providers that support the provision of authorization transactions in payment services, including the processing, storage, security, confidentiality protection and verification of data, and the supply and maintenance of information technology, communication networks and tools used for payment services, where the technical service providers do not own the funds transferred at any point in the transaction

With this assessment, it can be concluded that the CBRT departed from the EBA and FCA’s view that “payment order initiation service and account information service are not considered as technical services”.

Moreover, it can be said that the EBA’s position on the issue has become clearer with the addition of “collection and consolidation directly or through a technical service provider” to the definition of account information service in PSD III.

Although the FCA has stated that account maintenance services to be provided through a proxy relationship may be considered as an exception, it can be accepted that the proxy relationship should be considered as a more limited concept from the domestic example given by the FCA.

7.1. Does the example given in the Guidance for a single bank (ASPS) change the assessment of consolidation of information from multiple account service providers?

No. We are of the view that increasing the number of payment accounts or the number of account information providers will not change the situation as the CBRT’s assessment is based on the technical/administrative/legal responsibilities in the relationship between the payment service user, the account service provider and the third party (payment institution or technology company).

8. Is it an account information service if the account holder’s account information is obtained directly from the account service provider by an authorized third party and consolidated and provided to the account holder?

The CBRT authorizes (K), a technology company, to receive payment account information directly from its customer (S), Bank (U), and to consolidate and provide value-added services to (K);

– Company (S) is directly and solely related to Bank (U),

– technical/administrative/legal responsibility on (S) company

Within the framework of the assessment, it is stated in the Guidelines that the technical infrastructure service provided by company (K) cannot be accepted as a payment service since it falls within the scope of subparagraph ğ of the second paragraph of Article 10 of the Law.

8.1. Does the example given in the Guidelines for a single bank (ASPSP) change the assessment of consolidation of information from multiple account service providers?

No. We are of the view that increasing the number of payment accounts or the number of account information providers will not change the situation, as the CBRT’s assessment is based on the technical/administrative/legal responsibilities in the relationship between the payment service user, the account servicing payment service provider and the third party (payment institution or technology company).

9. Is the consolidation of the accounts of its subsidiaries by (E) Holding a service of providing account information?

After the payment services are listed in the first paragraph of Article 12 of the Law, the exceptions that will not be considered as payment services are included in the second paragraph.

According to subparagraph j, which is referred to as the group company exception, “payment services that are realized between the parent company and its subsidiaries or affiliates or between the subsidiaries themselves and that are not intermediated by any payment service provider other than a company belonging to the same group” are not considered as payment services.

According to the regulation in the Law, situations where a third payment service provider does not intervene in order to consolidate the payment account information of subsidiary (L) at Holding (E) are not considered as payment services.

Although the CBRT has considered the example in the Guidelines for the scenario where the information is obtained through (E) Holding’s own IPs and the technology company’s service is white-label or on premise, in our opinion, we would like to share that we are of the view that the condition that “no payment service provider other than a company belonging to the same group shall act as an intermediary” will not be violated if the process is carried out through the IPs of a technology company that provides technical services. However, we would like to note that in this case, a service procurement relationship should also be established by each subsidiary from the technology company.

We recommend that the examples of business models provided by the CBRT in our article and the Guidelines should be examined in detail in any case, and that the CBRT should be consulted by sharing the details of the business models in cases of uncertainty or differences.