On 19 August 2021, Banking Regulation and Supervision Agency (BRSA) published the Draft Regulation on Operation Principles of Digital Banks and Banking as a Service ("Draft Regulation") on its website. As the name indicates, the Draft Regulation regulates two distinct matters:
A. Principles applicable to "digital banking" (also known as branchless banking, neo banks online-only banks).
The Draft Regulation specifies (i) activity limitations, (ii) mandatory service continuity levels and (iii) licensing requirements and procedures applicable to digital banks. "Digital Banks" are defined as follows:
"Digital bank: A credit institution that provides banking services mainly through electronic banking services distribution channels instead of physical branches"
B. Principles applicable to "banking as a service" business models ("BaaS"). BaaS is defined by the Draft Regulation as follows:
"Banking as a Service (BaaS): The banking service model in which interface developers connect with service banks' systems directly through APIs and open banking services to perform banking transactions on behalf of their customers through the service bank, thus allowing interface developers to offer new products and services to the market by using the banking infrastructure of service banks and a fee agreed between the parties is paid to the service banks by the interface developers in return for these services received from the service banks."
The key parties in the BaaS model are "Interface Developer" and "Service Bank" and they are defined as follows:
"Interface developer: Financial technology companies or other businesses that enable their customers to perform banking transactions by accessing the banking services offered by the service bank via the bank's API and open banking services through the mobile application or internet browser-based interface it has developed."
"Service Bank: The bank that offers BaaS services."
Draft Regulation explicitly states that unless stated otherwise in the regulation, digital banks are subjected to all regulations applicable to credit institutions. Therefore, for matters remaining unregulated under the Draft Regulation, digital banks will be expected comply with the other existing primary and secondary laws under banking regulations.
Customer Base: Draft Regulation foresees that, digital banks can only offer its services to individual financial consumers and small and medium sized enterprises (SMEs). Accordingly, digital banks are not allowed to provide corporate banking services to entities that surpass the SME thresholds.
Explicitly Allowed Services: Digital banks are explicitly allowed to carry out following operations without being limited with the "customer base" limitations indicated above:
No Physical Branch: Digital banks are forbidden from opening physical branches. However, they can (and they are expected to open at least one) establish physical offices to handle customer complaints on the condition that they do not act as a branch of the digital bank. Additionally, digital banks are allowed to set up ATM networks to offer their services or they can offer them through already established networks. They can also offer cash withdrawal or depositing services through contracted merchants.
Lending Limits: The maximum amount of unsecured cash loans that digital banks can lend to a single customer who is a financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer's average monthly net income cannot be determined, the total of the unsecured cash loans that can be given for such customers cannot exceed ten thousand Turkish Liras.
General Exemption to Activity Limitations: It is possible for digital banks which can increase its total establishment capital amount to 2.5 billion Turkish Liras to apply to the BRSA and request an exemption from the activity limitations listed under this section. For example, a digital bank that can meet the 2.5 billion Turkish Liras capital requirement could request an exemption from the BRSA and, subject to BRSA's approval, can offer corporate banking services to entities that surpass the SME thresholds.
Draft Regulation requires digital banks to publish their undertaken service continuity levels for each of their service distribution channels, on their website. For online and mobile banking channels, minimum service continuity level undertaken cannot be lower than %99,8.
In General: General requirements to be met and procedures to be followed for acquiring a digital bank license is identical to those for a conventional bank license. As per the reference made by the Draft Regulation, rules appliable to general licensing procedure for banks is listed under Regulation on Banking Operations Subject to Permission and Indirect Share Ownership ("Banking License Regulation"). All licensing conditions expected from digital banks brought by the Draft Regulation are in addition to the general licensing conditions listed in the Banking License Regulation.
Capital Requirement: Minimum capital requirement for digital banks is 1 billion Turkish Liras (approx. 100 million Euros as of 22 August 2021).
Additional information to be Provided: Along with the standard content of business plan and activity report documents, during license application procedure for digital banks BRSA expects some additional details from applicants. The requested details are mostly due to unique nature of digital banking and include, but not limited to, the following:
The Status of Already Licensed Financial Entities:
Draft Regulation sets down basic principles applicable to BaaS business models to be offered by service banks to interface developers. Before going into details of these principles, we would like to underline that 'service banks' are not limited with 'digital banks' that we have discussed above. Conventional banks with physical branches could also act as a service bank in BaaS models.
Who could be an interface developer?: There are no explicit limitation, besides the geographical one (see below), brought under the Draft Regulation on who could be an interface developer. For example, the following entities can procure BaaS services as an interface developer:
Geographical Limitation: Draft Regulation brings a strict limitation to service banks to only offer BaaS services to interface developers that are established in Turkey. Accordingly, mobile app developers, fintech companies, social media platforms established abroad cannot procure BaaS services from local banks in Turkey.
Transparency Requirements: Draft Regulation explicitly prohibits interface developers from portraying themselves as a 'bank' or 'payment or electronic money institution' in their trade names, advertisements, promotional materials or in their public declarations unless they have the necessary licenses. For similar transparency purposes, interface developers are also required to:
Digital Onboarding: In order for a service bank to offer its banking products to interface developer's customer, a contractual relationship between the service bank and the customer must be established. The digital onboarding procedure between the bank and the customer is expected to be compliant with the Regulation on Remote Identification Methods to be Used by Banks and Establishing a Contract Relationship in Electronic Environment ("Banking KYC Regulation") (which mandates live video KYC procedures to be completed for digital onboarding, among other requirements). The Draft Regulation allows whole onboarding procedure to be completed over the interface developer's application but the legal responsibility for ensuring the procedure is compliant with Banking KYC Regulation is on the service bank.
Contractual Relationship Between the Service Bank and the Interface Developer:
Applicability of Outsourcing Regulations: The Draft Regulation states that, since in the BaaS model, the service bank is in the position of a 'service provider' of the interface developer, the contractual relationship between the interface developer and service bank is exempt from the specific outsource service procurement provisions provided under the Regulation on Support Service Procurement by Banks ("Outsourcing Regulation"). Nevertheless, Draft Regulation brings an exemption to this general rule and states, if the interface developer acts as an intermediary for the provision of the banking services and receives a fee in return from the service bank, it will be considered as a service provider of the bank. In such a case, the contractual relationship will be considered within the scope of the Outsourcing Regulation and therefore, inter alia, the contact between the parties will be expected to include certain mandatory clauses as indicated under the Outsourcing Regulation and interface developer will be subject to technical and legal risk assessment procedures of the service bank.
Mandatory BaaS Clauses: Draft Regulation stipulates certain mandatory provisions to be included in the service agreement to be established between the service bank and the interface developer. Namely, provisions obliging the interface developer (i) to comply with the transparency requirements (see above) and (ii) to not to store bank customer information that is not necessary to offer its services or comply with its legal obligations.
Notification and Disclosure Requirements: In a nutshell, Draft Regulation requires BRSA to be always kept in the know during BaaS provision processes. Accordingly, before signing a contract with the interface developer, service banks are required to notify the BRSA in writing about: (i) the information about the interface developer it plans to provide services to, (ii) scope of the banking services it will provide, (iii) which banking services it plans to allow for use. Once the service contract is signed, it is required to send a copy of it to the BRSA within one week from the signing date. Lastly, service banks are also expected to publish a list of the interface developers it provides services to and the scope of such services publicly on their website.
Technical Details of Integration: The technical and legal details of how the integration between interface developers and service banks will be established is not yet certain. However, Draft Regulation grants BRSA a very broad authority to determine technical criteria, procedures and principles about APIs and open banking services to be used by service banks for the services to be provided to interface developers.