The Guidance to Data Sharing Services in Payment Services (“Guidance”) was published by the Central Bank of the Republic of Turkey (“CBRT”) on 30.12.2022, which includes examples and assessment of open banking business models and card tokenization services according to the Law №6493 (“Law”).
Purpose of the Guidance stated as the creation of a guiding document for all providers about the account information service (“AIS”/”HBH”) and the payment initiation service (“PIS”/”ÖEBH”) such as;
- Whether some AIS and PIS business models that are frequently encountered in the field of payments require a licence/permit according to Law,
- License and technical certification process
In the Guidance discussed topics such as;
• Basic concepts such as PIS, AIS, authorized payment service provider (“YÖS”) and payment services data sharing services (“ÖHVPS”) are defined,
• Application architecture of ÖHVPS and duties and responsibilities of Bankalararası Kart Merkezi A.Ş. (“BKM”) as a technical service provider have been explained,
• Definitions and sample workflows of AIS and PIS, as well as reviews and assessments of sample workflows delivered by Payment and Electronic Money Institutions Association of Türkiye (“TÖDEB”) and Open Banking Group were shared.
• Within the scope of AIS and PIS, technical, administrative and legal responsibilities and contractual relationship between AISP/PIS, YÖS and BKM were discussed,
• Under the heading of assessments for frequently asked issues
o Types of payment accounts and transactions,
o Which operations are supported by the current ÖHVPS,
o Providing the AIS and PIS with the agency model within the scope of the Law,
o Which data of fund senders/receivers can be accessed in inquiries by AIS,
o Initiative regarding whether to consider the safe recipient list for authentication within the scope of the risk assessment,
o YÖS’s storage and processing of the data which they receive from account service providers (“ASP”/”HHS”) within the scope of ÖHVPS,
• Licensing and technical certification considerations
In this article, only the matters that we deem important are discussed.
1. BKM is Positioned as a Technical Service Provider for the Open Banking Ecosystem, Providing Central Registry (Central Retention of HHS and YÖS Certification Information and Transaction Records), Testing and Certification Solutions, Experimental Environment (Simulator) Application, Support and Reporting Services.
2. It has been stated that in the Assessments Regarding Open Banking Business Models, the Relationship Between HHS, YÖS and the Customer and Who Has Technical, Administrative and Legal Responsibilities will be taken into consideration.
In the Guidance, a reference is made to Article 12/1-g of the Law and so that an institution which provides the service of providing consolidated information regarding one or more payment accounts of payment service users on online platforms must obtain an license from the CBRT.
However, it is stated that business models such as the customer’s contracting directly with HHS, receiving the services provided by ASP directly from ASP legally, and receiving only technical services from a third party will not be considered as payment services within the scope of ÖHVPS and within the scope of the Law.
For example, a legal or natural person (“Customer”) who has an account with payment service providers;
i. has signed a web service protocol with ASP for its account on an ASP (bank, e-money institution, etc.) whose transactions it wants to access in a consolidated manner,
ii. It transmits all the data that it receives from ASP to a third party service provider, and it recieve through a querry a consolidated service in the form and structure it needs to manage its administrative and operational processes from the service provider,
iii. The service provider provides a technical infrastructure with that the Customer can call the information in a consolidated form to be obtained from ASP.
The business model above has been assessed as a technical service within the scope of Article 12/2-ğ of the Law, rather then a payment service within the scope of the Law.
In the aforementioned business model, it has been stated that in case in the web service protocol that the Customer will sign with ASP, providing IP information of the third party service provider can also not be considered as a payment service within the scope of the Law.
3. On-Premises Business Model is not considered as a Payment Service within the scope of ÖHVPS and within the scope of the Law.
In case a customer who;
1. requires account transactions web services and online mass transfer web services for their own accounts on ASP, regarding their administrative and operational processes (Accounting, Order, Return, Account Reconciliation, etc.),
2. purchases or leases a software that will consolidate the web services of all ASPs for which it has an account,
3. integrates the software into its own systems,
this business model (on-premises) is not considered as a payment service within the scope of the Law on the grounds that the technical, administrative and legal responsibility against HHS is solely with the Customer.
4. The Situation of Subsidiaries of a Holding Receiving Service Over a Single IP Of The Holding Is Assessed Within The Scope Of ÖHVPS, But It Has Also Been Assessed As An Exception Payment Service In Accordance With Article 12/2-J Of The Law, And It Has Been Stated That There Is No Need To Obtain A License.
5. The Business Model, in Which Payments Are Made with Digital Wallets in Which Debit Cards Tokenized, And Use Of It Is Not Limited With Its Provider, Has Been Assessed Within The Scope Of Payment Order Initiation Service.
Considering that the term “debit card” used in this guide is used consciously, and taking into account the definition of “card that enables to benefit from banking services, including the use of deposit account or special current accounts” in the Debit Cards and Credit Cards Law №5464, We would like to note that in our opinion credit cards are not considered within this scope.
We would also like to note that this assessment of the CBRT differs from the case that PIS is kept separate from card transactions in known world examples.
On the other hand, we would like to point out that, according to the eighth paragraph of Article 59 of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, credit card accounts are defined as payment accounts like the accounts to which bank cards are linked. Despite this situation, the reason why credit card accounts were separated also raised a question mark.
It is understood from the CBRT’s assessment that the card tokenization business model in e-commerce sites differs due to its limited use with its workplace, and the provision of the digital wallet service by the payment service providers to each member workplace will be considered within the scope of the payment initiation service.
In our opinion, an assessment should be made for each case about business models such as; (i) the bank card tokenized in the digital wallet at electronic money institutions using to top-up to the e-money accounts held by them, and (ii) making payments to third party services within the mobile applications of PSP.
The payments in the business model, in which bank cards can be tokenized in a digital wallet and used in workplaces other than those who provide the digital wallet, are not among the ÖHVPS whose standards have already been determined, even it is assessed as a PIS. So that the aforementioned transactions will be carried out within the framework of existing methods and rules, and not through BKM GEÇİT.
6. In Inquiries Regarding Account Information Service, It Has Been Stated That Counterparty Information such as Identity Information (ID Number, Tax Identification Number etc.) and IBAN Number, Account Number Can Only Be Displayed as Masked.
7. It Has Been Stated That Banks’ Sharing of Online Account Statements with Commercial and Institutional Customers Who Want to Access Their Own Data over Their Own Systems is Not Within the Scope of ÖHVPS, and It Can Continue Without Requiring a License.
8. According to Guidance, General Authority Cannot Be Granted at Once By The PSP For The Transactions On All Accounts For The Transactions Not Requiring Strong Authentication Over The ASP. Even If It Is Thought That the Creation of Such a Simplified Approval Mechanism And A Structure That Allows Automation Will Increase Customer Satisfaction, It Has Been Assessed That AISP Will Not Release Its Responsibility For Account Security.
9. It Has Also Been Stated in Writing That Fintech Companies Subject to the Transition Process Can Continue Their Services Uninterruptedly If They Have Applied for a License to the CBRT Until December 1, 2022.
ASSESSMENT
We would like to share that the publication of Guidance by the CBRT that will respond to and guide the needs of the sector is important for the sector.
In our opinion, considering the business model of tokenization bank cards in digital wallets as a payment order initiation service, distinguishing it from other world actual examples, will result that digital wallet provider fintech institutions operating with the open pool model in the market and tokenization bank cards should be payment service provider and have a license specific to the payment initiation service.