Fintech in Turkey 2024

Fintech in Turkey 2024

FINTECH 2024

TÜRKIYE

Cigdem Ayozger Ongun, Deniz Erkan

(SRP Legal)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

1. What is the general state of fintech innovation in your jurisdiction?

There is an ever-evolving fintech climate in Turkey. According to the Turkey Fintech Guide 2023 published by The Presidency of the Republic of Turkey Finance Office, Turkey has received a start-up investment of US$1.6 billion in 2022. According to the Guide, Turkey ranks 10th in Europe and 3rd in the Middle East and North Africa. Pursuant to the Guide, total of US$1.6 billion was invested in 300 start-ups, out of which the fintech industry received the highest number of investments with 34 deals. As a result of these 34 deals, US$90 million was invested in fintech companies in 2022, making it the year in which the highest investment amount was reached.

As of February 2023, 739 fintechs are established in Turkey, 637 of which are active. These fintech companies consist of 255 organizations that work on decentralized finance, banking technologies, and corporate finance. Also, there are 90.6 million active retail digital banking users and 2 million point-of-sale terminals, 52,100 automated teller machines, 99.3 million credit cards and 71.6 million prepaid cards in Turkey. Moreover, the contactless payment rate reached 66 percent, 18 percent above the previous year’s rate.

In the Turkish fintech ecosystem, services such as payment and e-money services, money transfer and remittance, bill payment, digital wallet and system operator services are regulated, while some issues such as lending and credit scoring are yet to be regulated. However, in less than a year, new regulations regarding open banking, service-model banking, equity and lending-based crowdfunding entered into force. With the Economic Reforms Action Plan published by the Ministry of Treasury and Finance on 12 March 2021, certain legal regulations in this area were implemented in 2021 as well as 2022.

With new developments in the regulatory area, 100 fintechs were licensed as of 2022:

• 45 e-money institutions;
• 29 payment institutions;
• eight crowdfunding platforms;
• five insurtechs;
• five payment systems;
• four digital banks;
• three financing institutions; and
• one intermediary institution.

Thirty-four fintechs received an investment of US$89 million as of February 2023, following an upward trend in fintech investments in Turkey despite the decreased global risk appetite following the Covid-19 pandemic.

Government and regulatory support

2. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

Different public authorities such as the Republic of Türkiye Ministry of Trade, the Republic of Türkiye Ministry of Industry and Technology, the Scientific and Technological Research Council of Türkiye (TÜB TAK) and the Small and Medium Enterprises Development Organization (KOSGEB) have different incentives and support schemes for financial innovation. These supports and incentives are spread over many different areas such as commission support, market entry support, strategic business plan support, software, mobile application and digital game development support.

The support is provided to entities that meet specific criteria brought by different legislations. In Turkey, investments have been supported pursuant to the Decision on State Aid in Investments brought into force with Decision of the Council of Ministers No. 2012/3305, and its Implementing Communiqué No. 2012/1. The Decision on Providing Project Based State Aid to Investments was brought into force with Decision of the Council of Ministers No. 2016/9495 and Communiqué No. 30892 on the Code of Practice of Technology-Oriented Industrial Movements Program (Communiqué No. 30892). The latest developments concern Communiqué No. 30892, which was amended with Official Gazette No. 30969.

Investment incentives are provided to all entities that meet the requirements pursuant to the above-mentioned laws and regulations. Unlike many information technology or e-commerce projects, fintech projects are more likely to benefit from these incentives because of the nature of fintech and its requirements such as security, payment infrastructure, user experience and mobility.

During the establishment phase of fintech start-ups, there are alternatives such as private incubation centers, techno centers and collaboration offices that may allow fintech start-ups to benefit from tax advantages. In addition to these investment incentive-focused regulations, fintech start-ups may also benefit from Technology Development Law No. 4691 and its implementing regulation. This law provides lower corporate income tax, withholding tax, income tax exemptions, employer social security contribution support payments and value added tax exemptions for fintech start-ups.

Government support is also stipulated in the 11th Development Plan of Turkey. The 11th Plan covers the year 2023 and includes objectives on fintechs. This plan commits to supporting the creation of a secure financial technology ecosystem that provides equal opportunities for firms by drawing on international best practices.

To bring this goal to life, it is aimed to create a roadmap which will be for the development of the fintech ecosystem in Turkey and the coordination of implementation will be ensured by a single public institution. On top of that, to strengthen the legal infrastructure of open banking, it is aimed to achieve legislative harmonization with EU Directive (EU) 2015/2366 (Payment Services Directive II) (PSD2), to establish the Istanbul Finance and Technology Base, to establish the Regulatory Experimental Area and Industry Experimental Area and to establish the Association of Payment Services and Electronic Money Institutions.

According to the amendment to Presidential Decree No. 2834, published in Official Gazette No. 31207 of 8 August 2020; as of 23 March 2022, the rate of Bank and Insurance Transactions Tax is applied as:

• 1 percent on the proceeds received in return for the acquisition or disposal of domestic Turkish lira-denominated bonds with repurchase and resale commitment;
• 1 percent on the proceeds received in return for the sale of domestic Turkish lira-denominated bonds without waiting for maturity;
• 10 percent on the proceeds received in return for consumer loans; and
• 5 percent on the proceeds received in return for other bank and insurance transactions.

The Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (the Amendment), in line with the requirements of PSD2, entered into force on 1 January 2020. The Amendment set forth a provision for the establishment of the Turkish Payment Services and Electronic Money Association (the Association), which entered into force on 22 May 2020. Accordingly, all payment and electronic money institutions are required to become members of the Association.

The Strategy and Budget Directorate of the Presidency of the Republic of Turkey published the Presidential Annual Program for 2023. The establishment of a secure fintech ecosystem that provides equal opportunities for companies as well as the establishment of interfaces and standards that will strengthen cooperation and information sharing for the digital transformation of the manufacturing industry are within the scope of the Presidential Annual Program.

Finally, Presidential Circular No. 2022/10 published in the Official Gazette of 10 June 2022, identifies subjects such as development of financial services, entrepreneurship and small and medium-sized enterprises, as well as information and communication technologies as issues to be worked on in the 12th development plan.

FINANCIAL REGULATION

Regulatory bodies

3. Which bodies regulate the provision of fintech products and services?

Regulatory and supervisory bodies include the Ministry of Treasury and Finance, the Central Bank of the Republic of Turkey (CBRT), the Banking Regulation and Supervision Agency, the Capital Markets Board, and the Insurance and Private Pension Regulation and Supervision Agency. These institutions carry out their duties in different parts of the fintech sector.

The CBRT is authorized in regulating payment systems, electronic money institutions and payment institutions. The CBRT is entitled to issue payments, e-money and system operator licenses pursuant to Law No. 6493, the Regulation on Payment Services and Electronic Money Issuance and Payment Institutions.

In addition to the CBRT, the Turkish Financial Crimes Investigation Board (MASAK), which acts as Turkey’s financial intelligence unit, effectively fights money laundering and terrorist financing (anti-money laundering (AML)). MASAK checks whether financial institutions meet the requirements of AML regulations and laws. Therefore, fintech companies, such as payment service providers, cryptocurrency trading platforms and crowdfunding platforms, must fulfil their AML obligations.

The sale and marketing of financial services and products may fall under the supervision of the Turkish Capital Markets Board (CMB) or the Banking Regulation and Supervision Agency (BRSA). The CMB’s Communique on Principles on Investment Services and Activities and Ancillary Services No. III-37.1 and the BRSA’s Regulation on Bank’s Procurement of Support Services impose certain restrictions on financial service providers as well as the vendors providing the sales and marketing of financial services in Turkey. Therefore, the BRSA is authorized regarding digital banking, service model banking and financing companies.

Article 6 of the Regulation on Establishment and Activities of Asset Management Companies sets forth that asset management companies must obtain authorization from the CMB prior to their establishment to carry out their activities. According to the Banking Law and the Financial Leasing Law, only entities with a license granted by the BRSA may legally conduct lending activities. However, following the entry into force of the Amending Law, new licenses have been granted by the CBRT as of 1 January 2021.

Regulated activities

4. Which activities trigger a licensing requirement in your jurisdiction?

Payment systems, electronic money institutions and payment institutions require licensing in Turkey. As for financial activities, a large amount of financial services trigger licensing, authorization or registration in Turkey. These activities might be regulated by the CBRT, the CMB, the BRSA, the Ministry of Treasury and Finance or the Central Securities Depository of the Turkish Capital Markets.

The CBRT authorizes services such as invoicing services, e-money services and system operator services while the BRSA issues licenses for banking and finance activities such as banking services, factoring and financial leasing services. The Capital Market Authority, on the other hand, is responsible for authorizing equity and lending-based crowdfunding platform services, trading and carrying out intermediation activities in securities and other capital markets instruments. The Ministry of Treasury and Finance authorizes insurance activities and the Central Securities Depository of the Turkish Capital Markets provides its members with registration (public offering, et cetera), settlement and custody services.

In addition to these regulatory bodies, the Risk Centre established within the Banks Association of Turkey collects risk data and information of clients of credit institutions and other financial institutions to be deemed eligible by the Banking Regulatory and Supervisory Board, ensuring that such information is shared with said institutions or with the relevant persons or entities themselves, or with real persons and private law legal entities if approved or consented; and Kredi Kayit Bürosu (KKB) conducts all operational and technical activities through its own organization as an agency of the Risk Center of the Banks Association of Turkey and provides data collection and sharing services.

Consumer lending

5. Is consumer lending regulated in your jurisdiction?

Consumer lending is regulated within the scope of the Banking Law, the Law on Bank Cards and Credit Cards, the Regulation on Credit Operations of Banks and by the Ministry of Commerce through the Consumer Law, the Regulation on Consumer Loan Agreements and the Regulation on Housing Finance Agreements.

With the Decision No. 10222 taken on 9 June 2022 by the Banking Regulation and Supervision Board, the following rates regarding consumer loans were announced:

• the general maturity limit for consumer loans shall be set as 24 months for loans with a loan amount above 50,000 Turkish liras and below 1,000 Turkish liras and 12 months for loans with a loan amount above 100,000 Turkish liras; and
• the minimum payment amount for credit cards with a limit below 25,000 Turkish liras shall be set as 20 percent of the period debt, and the minimum payment amount for credit cards with a limit above 25,000 Turkish liras shall be set as 40 percent of the period debt.

In addition, Decision No. 10222 stated that the necessary steps would be taken in the following areas:

• differentiation of the loan-to-value ratio in housing loans on an amount basis;
• directing loans to productive areas such as investment and exports to improve the selective approach, particularly for commercial loans;
• increasing the risk weight of loans to be extended to legal entities that engage in derivatives transactions with non-residents; and
• introducing the possibility of allocated swaps for non-residents.

Secondary market loan trading

6. Are there restrictions on trading loans in the secondary market in your jurisdiction?

In Turkey, in principle, loans can only be provided by banks and credit institutions that do not include payment services or e-money institutions. The prohibition on lending is specifically regulated in the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers. Within the scope of this Regulation, payment and e-money institutions cannot give loans, nor may they engage in advertising and marketing activities in a way that creates the impression that they are giving loans. Additionally, loan-based transactions are subject to the Turkish Banking Law and regulations. Transferring a loan by way of novation (namely, discharging the original debt) will have the effect of extinguishing the Turkish law-governed security. In these cases, there is a requirement to re-establish the security for the new lender. A parallel debt structure may be a way of preventing the fall of the accessory security as a result of novation. The transfer of debts is also possible and made by an agreement between the transferor, the transferee and the debtor. Security providers for these debts should provide their consent in written form. There are no registration requirements with the authorities in Turkey for a transfer or assignment to be effective.

On the other hand, debt instruments, which can only be provided by the above-mentioned institutions, can be purchased and sold in the secondary market under the Capital Markets Law and regulations. Borsa Istanbul (BIST) is the most active and organized Developer Interest Bearing Scheme secondary market in Turkey. The bonds and bills markets are outright purchase and sales and repo and reverse-repo markets. Intermediary institutions and banks can participate in these markets, and the rules of BIST are valid. In BIST, of which the CBRT is also a member, participants send their requests and proposals to the BIST system with all the necessary details. When the best demand and offer are met in the system, transactions are carried out within the framework of the determined operating rules.

Collective investment schemes

7. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

In Turkey, the general rules and principles regarding investment funds are regulated under the Capital Markets Law and regulations. In this respect, further details regarding the establishment and activities of investment funds are regulated under the Communiqué on the Principles of Investment Funds (III-52.1). Accordingly, the Investment Funds Guide clarifies the rules and principles stipulated in this Communiqué.

The regulatory regime for collective investment schemes is new, and equity and lending-based crowdfunding platforms have been highly regulated under the Capital Markets Law. The Communiqué on Crowdfunding (III-35/A.2) was issued by the CMB and was published in the Official Gazette of 27 October 2021. As per this Communiqué, only the platforms authorized and listed by the CMB may carry out equity-based and lending-based crowdfunding activities.

Additionally, peer-to-peer lending is not currently regulated in a manner synonymous with the definition found under EU Directive (EU) 2015/2366 (Payment Services Directive II) (PSD2). However, debt-based crowdfunding platforms, which can be considered peer-to-peer lending, have been regulated. Regarding the platforms on which crowdfunding activities can be carried out, the Capital Markets Law and Communiqué No. III-35/A.2 on Crowdfunding can be mentioned as the first Turkish legal document that regulates lending-based crowdfunding platforms, which can be considered as peer-to-peer lending.

The Amending Law, which was published in Official Gazette No. 31050 of 25 February 2020, entering into force on the same date, introduced the concept of crowd-lending by the inclusion made to Law No. 6362. With regard to crowdfunding, with the amendment made in the first paragraph of article 35/A of Law No. 6362 and Crowdfunding Communiqué (III-35/A.2), the CMB is empowered to make determinations regarding crowdfunding activities that collect money from the public based on partnership or lending.

As per the Amending Law, the provisions of banking legislation shall not be applied for financing provided through lending-based crowdfunding and shall not be considered as deposit or participation fund acceptance. This situation brings an alternative to conventional and participation banking models, especially in financing innovative projects with industrial and technology companies. In addition, with the amendments made to article 35A of Law No. 6362, responsibility regarding the information form on the crowdfunding transactions is clarified and venture companies, whose shares are monitored and recorded, are now allowed to hold general assembly meetings electronically.

It has also been stipulated that crowdfunding platforms shall not be subject to the provisions of the Capital Markets Law regarding publicly held corporations, public offerings, issuers, the obligations of issuing prospectuses and issuance documents, investment services and activities, ancillary services and exchanges, market operators and other organized marketplaces.

Alternative investment funds

8. Are managers of alternative investment funds regulated?

Alternative investment funds (AIFs) are operated and managed by portfolio management companies on behalf of their investors in exchange for a consideration, namely, a participation share. Managers of AIFs are subject to the Communiqué on Portfolio Management Companies and Activities of Such Companies (III-55.1) issued by the Capital Markets Board. This Communiqué has been amended as per the Communiqué (III-55.1.d) (Amending Communiqué), published in the Official Gazette of 18 February 2023, which entered into force on the same date.

The Amending Communiqué introduced the concept of ‘sub-portfolio management’, which includes a contract to be signed between institutions or asset management companies authorized for portfolio management abroad for sub-portfolio management. Within the framework of this agreement, it refers to the activity of managing a certain portion or all of the portfolio of the portfolio manager by the sub-portfolio manager.

In addition, portfolio management companies are required to be established as joint-stock companies with the main objective of operating and managing investment funds. Compliance with certain conditions and obtaining the CMB license as set forth under the above Communiqué are required for establishing and operating a portfolio management company (PMC). The manager can either be the founder (founding a PMC or real estate PMC (REPMC)) or hold another role in the PMC or REPMC pursuant to a portfolio management contract. Fintech companies do not fall under the scope of the legislation concerning alternative investment fund managers.

With the Amending Communiqué, the minimum paid-in capital amount required for a portfolio management company’s establishment permit to be evaluated by the CMB has been increased from 6 million Turkish liras to 30 million Turkish liras. Also portfolio management companies, in addition to opening branches and establishing agencies with banks and brokerage houses, are now able to open liaison offices in Turkey or abroad with the permission of the CMB.

Peer-to-peer and marketplace lending

9. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Lending activities are highly regulated by the BRSA. For instance, according to the Banking Law or the Financial Leasing Law, only the entities with a license granted by the BRSA can legally conduct lending activities. According to Turkish Criminal Code No. 5237, money lending and earning interest from that money without holding a license is a crime, defined as usury, that is subject to imprisonment between two to six years and a monetary fine from 500 days to 5,000 days. In addition, peer-to-peer lending is not currently regulated in a manner synonymous with the definition found under PSD2.

The Capital Markets Law and Communiqué No. III-35/A.2 on Crowdfunding regulate the lending-based crowdfunding platforms, which can be considered peer-to-peer lending. This Communiqué divides crowdfunding activities into two categories:

• equity-based crowdfunding; and
• debt-based crowdfunding.

Debt-based crowdfunding activities are defined as fund-raising from the public through platforms in return for crowdfunding debt securities and equity-based crowdfunding on the other hand is defined as fund-raising from the public through crowdfunding platforms in return for shares.

Crowdfunding

10. Describe any specific regulation of crowdfunding in your jurisdiction.

Equity and debt-based crowdfunding platforms are highly regulated under the Capital Markets Law (CML). Communiqué No. III-35/A.2 on Crowdfunding entered into force upon its publication in the Official Gazette of 27 October 2021 and designates the CMB as the supervisory regulatory authority. The Communiqué repealed the Communiqué on Equity Based Crowdfunding (No. III-35/A.1), and lending and share-based crowdfunding are now regulated in a single communiqué.

Equity crowdfunding platforms are defined as platforms that allow entrepreneurs or companies to raise the funds they need for a project or venture idea electronically. Project owners or entrepreneurs and investors through platforms that allow investment in return for shares have come together through platforms that allow investment in return for an equity. Debt-based crowdfunding on the other hand is defined in the Communiqué as collecting money from the public through platforms in exchange for a debt instrument, and the funding process is carried out through platforms where investors who want to invest and entrepreneurs and companies seeking funds come together.

As per the Communiqué, crowdfunding activities shall be conducted via crowdfunding platforms, which can be joint-stock companies solely providing crowdfunding services; or investment institutions that are development and investment banks, participation banks or intermediary institutions.

With the Communiqué as a general rule, platforms will be able to solely carry out share-based and (or) debt-based crowdfunding activities; however, development and investment banks, participation banks and intermediary institutions are exempt from this rule. The principles to be followed while conducting crowdfunding activities will be set out in a written crowdfunding agreement to be executed between the fundraisers and the platform. In addition, the Communiqué paves the way for small or medium-sized technology and production companies to raise funds from capital markets without publicly offering shares.

With this being said, not all types of crowdfunding platforms are regulated in Turkish legislation. For example, reward-based crowdfunding platform activities are not regulated in Turkey while donation-based crowdfunding platforms are and may be subject to certain regulations. Even though there is no specific regulation regarding reward-based crowdfunding platforms, both reward- and donation-based crowdfunding platform activities have been performed by several companies in Turkey.

Finally, crowdfunding activities are not characterized as investment services or ancillary services in the CML. The reason for excluding crowdfunding transactions from the scope of investment and ancillary services is that crowdfunding activities are regulated to prevent small-scale companies from having cash difficulties, and therefore, general provisions are applied to the relationship between the parties. However, to make it easier for entrepreneurs to raise funds, crowdfunding platforms are not included in the scope of investment institutions operating under limited conditions and a flexible approach is followed.

Invoice trading

11. Describe any specific regulation of invoice trading in your jurisdiction.

The accounts receivable are usually, but not always, in the form of cheques or cashier’s cheques assigned or transferred to the assignee by the assignor in return for immediate payment. The Law on Financial Leasing, Factoring and Financing Companies and its secondary regulations are the primary pieces of legislation that govern this field in Turkey.

In addition, establishing a platform to provide information and services regarding electronic invoices to merchants, is not regulated in Turkish jurisdiction. However, providing services for mediating invoice payments is subject to Law No. 6493.

Payment services

12. Are payment services regulated in your jurisdiction?

Payment services are regulated in Turkey under Law No. 6493. According to Law No. 6493, the following activities are defined as payment services:

• all the operations required for operating a payment account, including the services enabling cash to be placed on a payment account and cash withdrawals from a payment account;
• payment transactions, including transfers of funds from the payment account of a payment service user before the payment service provider; direct debits, including one-off direct debits, execution of payment transactions through a payment card or a similar device, and the execution of money transfers, including regular standing orders;
• issuing or acquiring payment instruments;
• money remittance;
• executing payment transaction where the consent of the payer to execute a payment transaction is given by means of any information technology or electronic telecommunication device and the payment is made to the information technology or electronic telecommunication operator, acting only as an intermediary between the payment service user and the supplier of the goods and services; and
• services for mediating invoice payments.

Open banking

13. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

The term ‘open banking’ was defined for the first time in the Banks’ Information Systems and Electronic Banking Services (the Regulation) published in the Official Gazette of 15 March 2020, and came into force on 1 January 2021. Pursuant to the Regulation, remote identification and digital onboarding have been regulated for the first time. In this context, open banking services may now be used for digital identity. Electronic money and payment institutions are required to comply with the Regulation by 30 June 2023.

Additionally, the Regulation on the Operating Principles of Digital Banks and Service Model Banking has been published in Official Gazette No. 31704 of 29 December 2021. Within the scope of the Regulation, digital banks are provided with the opportunity to perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks, unless otherwise stated in this Regulation or related sub-regulations. Also, with the Regulation on Operating Principles of Digital Banks and Service Model Banking, the principles of service model banking have been regulated, and service banks will be able to provide service model banking services only to domestically resident interface providers and only within the framework of their own operating permits.

Most importantly, with the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, the payment service providers are now obliged to offer the payment account and infrastructure services it offers under similar conditions with other commercial customers, business partners and other payment service providers with which it makes transactions, if another payment service provider wishes to use said services and within one month at the latest, the payment service provider is obliged to convey the decision of rejection or acceptance to the requesting payment service provider.

Also, with Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the CBRT is authorized to determine all procedures and principles regarding the service of presenting consolidated information regarding one or more payment accounts of the payment service user with payment service providers on online platforms, provided that the payment service user’s approval is obtained and the payment order initiation service for the payment account in another payment service provider at the request of the payment service user.

With the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers, which was published in the Official Gazette of 1 December 2021, the procedures and principles regarding the electronic channel through which the parties acting on behalf of the customers can remotely access the payment services offered by the account service providers via APIs and perform the transactions within the scope of the law or instruct the account service providers to carry out such transactions were regulated.

In addition, the Banking Sector Good Practices Guide on the Protection of Personal Data (Guide) was published by the Personal Data Protection Authority on 5 August 2022, specifically mentioning the open banking systems. The Guide contains general explanations regarding the procedures and principles that banks must comply with in the field of personal data protection and the obligations to be fulfilled. Regarding open banking, the Guidelines mention that there are three main processing activities in open banking services:

• processing of personal data of the natural person customer by the bank for the purpose of providing banking services;
• processing of personal data of the natural person customer by a third-party provider for the purpose of enabling the natural person customer to benefit from open banking products and services; and
• transfer of certain categories of personal data of the natural person customer by the bank to the third-party provider and simultaneously the third-party provider records these data in its own data recording system.

Robo-advice

14. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

In Turkey, there is no legal regulation specifically regarding robo-advisory or automatic consultancy. For this reason, there is no automated consultancy company that serves in an open architectural structure, can provide investment consultancy services to its customers and can act on their behalf. The institutions that are allowed to conduct consultancy activities regarding fund allocation and to provide fund advice to the participant are portfolio management companies subject to the Capital Markets Law.

Even though automatic consultancy services are not directly available to the participant, currently, Turkish automatic consultancy products are used by companies such as pension companies. However, the Digital Transformation Office, structured under the Presidency, is granted the task of leading the artificial intelligence (AI) transformation process.

In this context, the National Artificial Intelligence Strategy 2021–2025, drafted in cooperation with the Digital Transformation Office of the Presidency of the Republic of Turkey and the Ministry of Industry and Technology, was announced on 24 August 2021, and the Presidential Circular on the National Artificial Intelligence Strategy was published in the Official Gazette of 20 August 2021. In this respect, the National Artificial Intelligence Strategy Steering Committee was established under the chairmanship of the Vice President with the participation of the President of the Digital Transformation Office and the relevant Deputy Minister of the Ministry of Industry and Technology, to further the activities that Turkey will carry out in the field of AI until 2025, to determine the strategic priorities, goals, targets and measures in this field and to implement them.

Insurance products

15. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Insurance services and, accordingly, selling insurance products are highly regulated under the Turkish Insurance Law and regulations. Companies that decide to perform these activities must obtain authorization from the Ministry of Treasury. As the activities of insurance companies are restricted, they are not allowed to perform activities other than providing insurance services. In this respect, fintech companies must pay attention not to be considered insurance companies by facilitating activities in the insurance market.

Additionally, the Regulation on Collecting, Storing and Sharing Insurance Data, prepared by the Insurance and Private Pension Regulation and Supervision Authority (Authority) within the scope of Insurance Law No. 5684 (Regulation), has been published in the Official Gazette and entered into force on 18 October 2022. The regulation determines the scope, procedures, and principles regarding the processing, sharing, and transfer of insurance data.

Pursuant to the Regulation the Authority is vested with the authority to determine the following:

• procedures and principles regarding processing activities regarding insurance data such as obtaining, storing and using insurance data from private legal entities, public institutions and organizations, public professional organizations and their superior organizations and information centers; and
• procedures and principles regarding the transfer of these data to insurance companies, reinsurance companies and pension companies engaged in insurance activities.

Pursuant to the Regulation, insurance data shall be collected by the Insurance Information and Monitoring Center from entities such as private legal entities, public institutions and organizations, and public professional organizations and must be kept in a general database.

Credit references

16. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

The Credit Registration Bureau (Kredi Kayit Bürosu (KKB)) offers its services not only to financial institutions, but also to individuals and the real sector through the cheque report, risk report and electronic report systems launched in January 2013. Since September 2014, KKB gathered its services aimed at individuals and the real sector under the umbrella of Findeks, the consumer service platform of KKB.

Providing credit references or credit information services in Turkey is a regulated activity under Law No. 5411. The Risk Center was established within the Banks Association of Turkey (TBB) to collect the risk data and information of clients of credit institutions and other financial institutions to be deemed eligible by the Banking Regulatory and Supervisory Board and ensure that this information is shared with these institutions or with the relevant persons or entities themselves or with real persons and 61 private law legal entities if approved and consented to.

The KKB was founded in accordance with article 73/4 of the Banking Law and it conducts all operational and technical activities through its own organization as an agency of the Risk Center of the TBB and provides data collection and sharing services to the 187 financial institutions that are members of the Risk Center.

CROSS-BORDER REGULATION

Passporting

17. Can regulated activities be passported into your jurisdiction?

Pursuant to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, which was published in Official Gazette No. 31676 of 1 December 2021, fintech companies may cooperate with legal entities residing abroad when providing services. However, the legal entities residing abroad are to obtain permission from the Central Bank of the Republic of Turkey (CBRT), in line with their objectives or operations. However, the foreign legal entity in question must also be authorized to provide payment services or issue electronic money, by the relevant authorities of the country where its headquarters is located. The legal entity residing abroad with whom the cooperation is made may not be the exposed face of the service alone before the customer and the payment institutions and e-money institutions will continue to be accountable to domestic customers for the services provided within the scope of the cooperation.

Requirement for a local presence

18. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

Under Turkish law, a license to provide financial services in Turkey cannot be obtained unless the company is governed by Turkish law; however, pursuant to the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, it is determined that fintech companies may cooperate with institutions abroad when providing financial services. A fintech company is required to be incorporated and licensed in the local Turkish jurisdiction by the CBRT. The requirement also applies to companies that provide cross-border services and products, and whether the products are actively marketed or the client in the jurisdiction solicits the service or product, is not relevant.

SALES AND MARKETING

Restrictions

19. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

The sale and marketing of financial services and products may fall under the surveillance of the Capital Markets Board (CMB) or the Banking Regulation and Supervision Agency (BRSA). The CMB’s Principles on Investment Services and Activities and Ancillary Services No. III-37.1 and the BRSA’s Regulation on Banks’ Procurement of Support Services impose certain restrictions on financial service providers and the vendors providing the sale and marketing of financial services in Turkey.

Besides these regulations, the prohibition on lending is specifically regulated in the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers. Within the scope of this regulation, payment and e-money institutions cannot give loans, nor may they engage in advertising and marketing activities in a way that creates the impression that they are giving loans.

According to the BRSA press release of 15 December 2022, to avoid any doubt, it has been announced that only authorized institutions listed under the Institutions tab on the BRSA’s official website are allowed to provide loans. The loans must be provided by banks and other financial institutions operating with permission from the BRSA and institutions explicitly authorized by the relevant legislation.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

20. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are neither rules nor regulations governing the use of distributed ledger technology or blockchains. However, distributed ledger technology and blockchains have recently started to be used in various sectors, including the banking and finance sector.

Cryptoassets

21. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

The Regulation on Not Using Crypto Assets in Payments was published by the Central Bank of the Republic of Turkey (CBRT) in the Official Gazette of 16 April 2021, entering into force on 30 April 2021. The Regulation regulates:

• not using cryptoassets in payments;
• procedures and principles are determined to ensure that cryptoassets are not used directly or indirectly in the provision of payment services and issuance of electronic money; and
• payment and electronic money institutions do not act as intermediaries for platforms that provide trading, custody, transfer or issue services regarding cryptoassets or fund transfers from these platforms.

Payment service providers (banks, electronic money and payment institutions, Posta ve Telgraf Teskilati) are not allowed to develop business models in a way that cryptoassets will be used directly or indirectly in the provision of payment services and issuing electronic money. In addition, payment and electronic money institutions are prohibited from intermediating on platforms that provide trading, custody, transfer or issue services regarding cryptoassets or fund transfers to be made from these platforms.

The Turkish Financial Crimes Investigation Board published an updated guidebook that states that fund transfers made to intermediary institutions for the purpose of purchasing cryptoassets (namely, bitcoin) will no longer automatically be considered a suspicious movement of funds and will be analyzed on a know-your-customer basis.

Token issuance

22. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

The Capital Markets Law and regulations govern the operation of digital currency exchanges and brokerages. However, cryptoassets do benefit from these rules and regulations. If an ICO project is characterized as crowdfunding, the ICO process should be carried out not by the entrepreneur, but through a crowdfunding platform.

The issue of whether there are any legal obstacles to ICO under Turkish law or whether the ICO is subject to any specific procedure varies according to the legal nature of the asset value collected from the public within the scope of the ICO organized and the features of the token to be distributed in return for this asset value. In this context, the token, which will be distributed independently of the legal nature of the asset value to be collected from the public as a fund, can be qualified as a capital market instrument due to the features it contains, and this may require adding capital market regulations to the ICO equation to be organized.

Last, pursuant to the Regulation on the Non-Use of Crypto Assets in Payments, published in the Official Gazette of 30 April 2021, no ban was imposed on the trading of cryptocurrencies on exchange platforms.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

23. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

There are neither rules nor regulations governing the use of artificial intelligence (AI) in Turkey. However, the Digital Transformation Office, structured under the Presidency, has been granted the task of leading the AI transformation process. In this context, the National Artificial Intelligence Strategy 2021–2025, drafted in cooperation with the Digital Transformation Office of the Presidency of the Republic of Turkey and the Ministry of Industry and Technology, was announced on 24 August 2021, and the Presidential Circular on the National Artificial Intelligence Strategy was published in the Official Gazette of 20 August 2021. The roadmap for work in the field of AI until 2025 has been determined by the Strategy Document. In this direction, the National Artificial Intelligence Strategy Steering Committee has been established to further the activities that Turkey will carry out in the field of AI until 2025, to determine the strategic priorities, goals, targets and measures in this field and to implement them.

The Personal Data Protection Authority published the guide titled ‘Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence’ on 15 September 2021. The Guide states the general recommendations set certain recommendations on the protection of personal data in AI applications, carried out by developers, manufacturers, service providers and decision-makers in the field of AI. The Guide recommends that special attention be paid to:

• personal data privacy in a way that is consistent with national and international regulations;
• relevant academic institutions, experts and organizations should collaborate within the design phase of human-rights-based ethical and socially oriented AI applications;
• the data subjects should be given the right to object to personal data processing activities that are based on technologies that affect their opinions and personal development;
• alternatives that have less interference with personal rights should be provided to ensure the freedom of choice of users; and
• mechanisms should be designed to inform the data subjects and obtain approval in necessary situations in accordance with Turkish Personal Data Protection legislation.

In addition, the Regulation on the Structure and Activities of the Türkiye Health Data Research and Artificial Intelligence Applications Institution was published in the Official Gazette of 12 March 2022. With the Regulation, the establishment, structure, duties, authorities, working principles and procedures of the Türkiye Health Data Research and Artificial Intelligence Applications Institute is regulated. This Regulation aims to increase the use of health data and AI in Turkey as well as conduct supporting scientific and technological research in this context; to provide financial or scientific support and coordinate and monitor research and development activities to be carried out on the use of AI and health data.

The Regulation on Remote Identification Methods to be used by Leasing, Factoring, Financing and Savings Financing Companies and the Establishment of Contractual Relationships through Electronic Media has been published in the Official Gazette of 11 January 2022. The Regulation includes a provision regulating to the AI applications in the sector. According to article 14 of the Regulation, the Banking Regulation and Supervision Agency is authorized to determine the implementation principles for transactions not exceeding 7,500 Turkish liras and carried out by means of AI-based methods instead of a client representative.

CHANGE OF CONTROL

Notification and consent

24. Describe any rules relating to notification or consent requirements if a regulated business changes control.

Pursuant to Communiqué No. 2022/2, published in the Official Gazette of 4 March 2022, the Competition Authority (Authority) made critical amendments to Communiqué No. 2010/4 on Mergers and Acquisitions Requiring Authorization from the Competition Board in terms of the undertakings subject to the Communiqué, turnover thresholds and additional notification obligation.

In addition to this, some companies performing in the banking and finance sector, such as payment service providers, crowdfunding platforms, banks and financial institutions, that are supposed to be parties to business transactions (namely, mergers, acquisitions or share transfers) must notify the relevant authorities (namely, the Banking Regulation and Supervision Agency, the Central Bank of the Republic of Turkey and the Capital Market Authority).

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

25. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Turkish money laundering and terrorist financing legislation, namely, the Law for Preventing Laundered Criminal Income (Law No. 5549) and its supplementary regulation, requires that fintech companies implement procedures to combat bribery. The appointment of a compliance officer, identity verification of account holders and reporting of suspicious transactions are commonplace requirements the regulation imposes on fintech companies.

The Turkish Financial Crimes Investigation Board (MASAK) also regulates fintech products and services in terms of money laundering proceedings for crime and terrorist financing.

Additionally, the term ‘financial group’ has been defined in article 2 of the Law on the Prevention of Laundering Proceeds of Crime with the amendment made pursuant to article 20 of Law No. 7262 on Preventing Financing of Proliferation of Weapons of Mass Destruction (Law No. 7262), of 27 December 2020. The term has been defined as to also include foreign-based financial companies.

The Regulation Amending the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (Decision No. 6702) (Amending Regulation) has been published in the Official Gazette of 14 January 2023.

As per the Amending Regulation, the limit for certain institutions such as banks, institutions other than banks authorized to issue debit cards or credit cards, financing and factoring companies and financial leasing companies, namely obligors, to determine the identity of their customers and those acting on behalf of or on account of their customers and to take necessary measures to reveal the real beneficiary of the transaction by obtaining information on identity and confirming the accuracy of this information in cases where the transaction amount or the total amount of more than one interconnected transaction has been raised to185,000 Turkish liras or more.

Guidance

26. Is there regulatory or industry anti-financial crime guidance for fintech companies?

Yes, both industry and regulatory authorities provide assistance to entities active in regulated industries. MASAK, mandated by the Ministry of Treasury and Finance, provides guidance and education. MASAK has issued Sectoral Guidance Notes addressing Financial Institutions and Banks but not specifically addressing the fintech companies.

MASAK’s Guide, published on 4 May 2021, first provides brief explanations regarding the activities of MASAK and the crimes of laundering proceeds of crime and financing of terrorism. As for the definition of ‘cryptoasset’, the Guide refers to the Regulation Prohibiting Payments Through Crypto Assets, which was published in Official Gazette No. 31456 of 16 April 2021 and entered into force on 30 April 2021. The Guide defines the activities of cryptoasset service providers as ‘the mediation regarding the trading of the cryptoassets through electronic transaction platforms’.

In addition, following the cryptoasset service providers being determined as obliged parties by the relevant legal regulation, the Suspicious Transaction Reporting Guide (Guide) was published on the official site of MASAK on 18 April 2022, aiming to explain the rules to which cryptoasset service providers are subject to regarding the obligations stipulated under Law No. 5549, including reporting of suspicious transactions.

The Guide includes explanations on the subject, form and content of the notification to be made, the types of suspicious transactions and the types of customers making the transaction. Suspicious transactions shall be notified to MASAK by the obliged parties within 10 business days at the latest from the date of suspicion regarding the transaction, or immediately in cases where there is a risk of delay. Suspicious transaction notification to MASAK in cryptoasset service providers shall be carried out by the obliged natural person him or herself or by the legal representatives of the obliged legal entity. If the obligation to report suspicious transactions is violated, the obliged party may be subject to an administrative fine of at least 50,000 Turkish liras and up to 4 million Turkish liras for each violation.

DATA PROTECTION AND CYBERSECURITY

Data protection

27. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The Personal Data Protection Law, the Regulation on the Erasure, Destruction, or Anonymization of Personal Data and the other secondary regulations are the main regulations that regulate personal data processing activities for all sector players, including fintech companies.

On the other hand, payment service providers must obtain a Payment Card Industry Data Security Standard certificate and comply with its principles and procedures, which also include rules regarding data erasure, transfer, destruction and processing. Moreover, they must keep all data in Turkey under the Communiqué on the Administration and Auditing of Payment Institutions and Electronic Money Institutions’ Information Systems.

The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (Regulation) includes the term ‘sensitive customer data’ and defines it as personal data and customer security information used in issuing payment orders or verifying the identity of the customer, and which, if captured or changed by third parties, may allow fraud or fraudulent transactions on behalf of the customer.

In this context, fintech companies are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data and data belonging to themselves, in the procurement of external services.

With the Regulation, the payment service providers are obliged to offer the payment account and infrastructure services it offers under similar conditions with other commercial customers, business partners and other payment service providers with which they make transactions, if another payment service provider wishes to use such services and within one month at the latest, payment service providers are obliged to convey the decision of rejection or acceptance to the requesting payment service provider.

Also, within the scope of the Regulation, the payment services and electronic money institutions, are obliged to take the necessary measures for the protection of secrets and personal data, especially sensitive customer data belonging to itself and its customers, in the procurement of outsourcing.

The procedures and principles regarding the status of competition-sensitive data in data sharing to be made pursuant to the Regulation are determined by the Central Bank of the Republic of Turkey by taking the opinion of the Competition Authority.

Lastly, pursuant to the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services, financial institutions are obliged to inform the Personal Data Protection Authority, as soon as possible, in the event that a cyber incident that leads to the leakage or disclosure of sensitive customer data or personal data exists or personal data is illegally obtained by others.

Cybersecurity

28. What cybersecurity regulations or standards apply to fintech businesses?

Article 31 of Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions levies the duty to uphold a secure information technology system on the licensed payment service provider.

Additionally, the Communiqué on the Administration and Auditing of Payment Institutions and Electronic Money Institutions’ Information Systems sets clear regulatory standards applicable to fintech businesses. The Communiqué on Principles Applicable to Banking Information Systems Management published by the Banking Regulation and Supervision Agency also regulates the field of cybersecurity applicable to financial institutions, however, it does not govern payment service providers and e-money institutions.

Pursuant to the Communiqué, payment and electronic money institutions are obliged to carry out cyber security incident and breach management within the framework of predetermined procedures to ensure that incidents and breaches, including customer complaints, are detected, intervened, recorded, reported in a timely manner; analyzed in a manner that includes determining the potential size, impact, damage and affected customers; resolved in the shortest possible time and with the least damage so that information system services are restored and all relevant stakeholders are informed about the incident.

Additionally, the Electronic Communications Law also governs the issue of cybersecurity pertinent to businesses active in the fintech industry, namely, with its supplemental Regulation titled Network and Information Security in the Electronic Communications Industry published in Official Gazette No. 29059 of 13 July 2014.

Finally, the Presidential Circular on Information and Communication Security Measures sets forth a series of measures aimed at increasing the security of critical data, including requirements for the domestic localization of data and limitations on the use of cloud services. The Circular primarily concerns public institutions and organizations, but also private organizations that provide services in critical infrastructure sectors, namely banking and finance.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

29. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

Outsourcing limitations exist in two areas. One is related to outsourcing where the outsourcing also needs to carry the qualifications and standards that are required from the entity (the licensed outsourcer, in other words, the payment service provider) that is being licensed. This is detailed within Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and its secondary regulations.

The second legal requirement concerns outsourcing services pertinent to personal data and transferring personal data abroad. Red tape exists for transfers abroad; practically, a de facto rule requiring all processing activities to be performed within Turkey.

Within the scope of the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers published in the Official Gazette of 1 December 2021, the rule is that payment institutions and e-money institutions may not outsource the activities regarding providing payment services and issuing electronic money. However, with the Regulation, they have the opportunity to procure information systems, marketing, advertising, corporate resource management, accounting, call center, follow-up activities of the institution’s administrative affairs, as well as activities other than payment service provision and electronic money issuance, from an external service provider.

Cloud computing

30. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

There are no specific requirements focused on the use of cloud computing. However, depending on where the cloud data is physically located, the use of cloud computing may be restricted, forbidden or conditioned. For instance, the Personal Data Protection Law (Law No. 6698) regulates personal data transfer in two subsections concerning transfers within Turkey and transfers out of Turkey, respectively. Therefore, depending on where cloud data is physically located, the relevant requirements and conditions must be fulfilled. For instance, if there is a cross-border personal data transfer generated from the use of cloud computing, the data controller may be obliged to enter into an agreement with the cloud computing service provider and apply to the Personal Data Protection Board to get its authorization.

According to the Communiqué on the Management and Supervision for Information Systems of the Payment Institutions and E-Money Institutions, institutions are obliged to have their information systems located in Turkey and cloud computing must be within the scope of these systems.

In addition, pursuant to the Information Systems Management Communiqué No. VII-128.9 published by the Capital Markets Board, companies, institutions and other legal entities are obliged to have their information systems located in Turkey (cloud computing is included in the scope of these systems). The legal entities listed in the Communiqué include publicly held companies, stock markets and capital markets institutions.

Also, The Regulation on the Independent Audit of Information Systems and Business Processes published in the Official Gazette of 31 January 202, regulates the procedures and principles regarding the auditing of the information systems and business processes of the institutions under the supervision and control of the Banking Regulation and Supervision Agency by independent audit firms authorized within the scope of this Regulation.

According to the Regulation on Bank Information Systems and Electronic Banking Services, customer data may not be transferred abroad without the explicit request of the customer. Owing to this regulation, the use of cloud computing services that have servers located abroad may be problematic in terms of banking services, as the use of cloud computing services with servers located abroad is regarded as data transfer abroad by Law No. 6698.

Pursuant to the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services (Communiqué) published in the Official Gazette of 1 December 2021; in the scope of the management of the outsourcing process for information systems, outsourcing service providers may provide outsourced services through the community cloud service model, in which hardware and software resources allocated only to payment service providers or other credit institutions or financial institutions whose activities related to information systems are regulated and supervised by a competent authority within the framework of the relevant legislation are physically shared but logically assigned a separate resource specific to each payment service provider.

The Communiqué stipulates that institutions may outsource services through the community cloud service model if such services are provided by external service providers deemed appropriate by the Central Bank of the Republic of Turkey (CBRT), and the CBRT is authorized to determine the appropriateness of external service providers that may offer external services through the community cloud service model.

Accordingly, the CBRT published the Guidelines on External Service Providers Offering Community Cloud Services (Guideline) in July 2022, which brings requirements on external service providers wishing to offer services through the community cloud service model.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

31. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Unlike common law jurisdictions that offer patent protection to software-implemented inventions and upon the fulfillment of certain criteria, even business methods, Turkey does not afford patent protection to software-implemented inventions and business methods. Copyright protection is the method that can be utilized for protecting the ownership of rights over software.

Original works that bear the characteristics and originality of the author are protected by copyright in Turkey, and these works are classified by Law No. 5846 of 5 December 1951 on Intellectual and Artistic Works as follows:

• science and literature;
• music;
• fine art; and
• cinema.

These categories are numerus clausus, and software is listed under the ‘science and literature’ category.

If a copyrighted work such as a piece of software is created, it is not compulsory to register it, and one owns the copyright and the protection at the time it is created or made public. Nevertheless, there is a non-compulsory registry system at the General Directorate of Copyright of the Ministry of Culture and Tourism that requires little proof. The general protection period is the lifetime of the author plus 70 years. There is no application similar to that of a patent application that is required of a copyright holder. Software and computer programs are classified under Class 9 of the Turkish Classification System published on the Turkish Patent and Trademark Authority’s website; however, each piece of software may contain characteristics of more than one specific class and this should be taken into consideration.

While software generally falls under copyright protection, industrial property protection can also be provided under certain conditions. If a software that works or runs with a machine or device, or is connected to a machine or device, the machine or system can be patented together with that device. Also, a computer program that performs a method that solves a technical problem can be protected by a patent. This protection is within the scope of Industrial Property Law No. 6769 and the Turkish Patent and Trademark Office is authorized to carry out the related transactions.

IP developed by employees and contractors

32. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

In principle, pursuant to Industrial Property Law No. 6769, unless otherwise agreed upon due to special contracts made between the parties (employer and employee) or the nature of the work, the rights to designs made by employees shall belong to the employer according to employees’ job descriptions and obligations arising from the labor contract or owing to the experiences and operations of the business organization. For an invention to qualify as an ‘employee service invention’, it must be realized during the course of employment. The employee is obliged to report the invention to his or her employer in writing without delay. Additionally, free inventions that are the employee’s inventions outside the scope of employee service inventions are also subject to reporting obligations for employees, who must make a declaration of the invention to their employer if the invention is made during their employment contract.

Joint ownership

33. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

Certain restrictions and joint ownership provisions exist, both for copyright and patents. For copyright, joint ownership provisions and restrictions find form within the Law on Intellectual and Industrial Rights (Law No. 5846). For patents, Law No. 6769 provides that joint ownership is permissible and imposes restrictions upon the patent holders of intellectual property (IP) rights. Pursuant to Law No. 6769, if an invention is made by more than one person, each of the inventors may apply for a patent and these inventors shall be granted joint ownership.

If the design application or design belongs to more than one person, the partnership claim on the right shall be determined pursuant to the agreement concluded between the parties, and if there is no such agreement between the parties, it is determined in accordance with the provisions related to joint ownership in Turkish Civil Code No. 4721. For a patent license to be granted to third parties in relation to the use of an invention, each of the right owners must grant permission unanimously. Even in the case of joint ownership, the rights of the owners may not be separated in relation to a patent application or patent assignment. Additionally, in the case of joint ownership, the right owners may assign a joint representative.

Finally, according to Law No. 5846, if a work is created by more than one author and if the work is of an inseparable nature, joint ownership shall be assumed and the provisions regarding ordinary partnerships stipulated under Turkish Obligations Law No. 6098 shall apply.

Trade secrets

34. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Trade secrets are protected under several Turkish regulations, including the Turkish Criminal Code. Duties of confidentiality are established for a variety of parties, including but not limited to, board members, shareholders, proxies, auditors, employees and contractors. Trade secrets, such as technical production secrets, production methods, and research and development plans, are also protected under Law No. 6769.

According to Turkish Commercial Law No. 6102, the protection of trade secrets is stipulated as unfair competition, and persons that act in violation of the confidentiality obligation regarding trade secrets and disclose trade secrets in bad faith; and employees, representatives and other contractors that deceive employers into providing trade secrets, shall be subject to an administrative sanction or imprisonment of up to two years. In addition, pursuant to this Law, employers may request pecuniary and non-pecuniary damages from persons that violate the confidentiality obligation and non-competition obligation, causing unfair competition.

As for the protections offered during litigation processes where court records become public knowledge, the Turkish Civil Procedure Code shall apply. Pursuant to Law No. 6100, parties that act in bad faith and unreasonably utilize litigation proceedings to have access to trade secrets shall be subject to part of a whole retainer fee in addition to a disciplinary fine.

Additionally, pursuant to the Amendment to the Banking Law published in the Official Gazette of 25 February 2020, save for the mandatory provisions of the relevant legislation, customer information has been specified as ‘customer secret’ and the criteria regarding processing and transfer of said information shall be realized in accordance with the Personal Data Protection Law (Law No. 6698). Customer secrets will not be shared with or transferred to third parties in Turkey and abroad, except for exceptional cases specified in the Banking Law. Even in cases where the client grants explicit consent regarding the processing of his or her personal data, said data may not be transferred or shared domestically or abroad without the explicit request or order of the client.

The Regulation on the Sharing of Confidential Information (the Regulation) has been published in the Official Gazette of 4 June 2021. Also referring to Law No. 6493, the Regulation is aimed at determining the scope, procedures and principles of the sharing and transfer of bank secrets and customer secrets. With the Regulation, it has become mandatory for banks to establish an information-sharing committee. The committee shall be responsible for coordinating the sharing of customer secrets and bank secrets.

Branding

35. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

There are no specific regulations on IP protection regarding fintech innovations. Intellectual and industrial property rights are generally protected by Law No. 5846 on Intellectual and Artistic Work and Law No. 6769. If fintech products or services are subject to industrial property rights (namely, a trademark or patent), a patent or trademark is required to be registered before the Turkish Patent and Trademark Office. However, there is no registration requirement in terms of intellectual rights.

According to Law No. 5846, ownership of a fintech innovation will belong to its first creator and he or she will be deemed an author. If an employee creates an innovation during the employment contract, the author will be his or her employer. The duration of the IP right is the life of the author plus 70 years.

Remedies for infringement of IP

36. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

According to Law No. 5846, authors whose IP rights have been violated may:

• file a civil lawsuit regarding the prohibition of the infringement;
• file a civil lawsuit regarding the prevention of infringement;
• request compensation; or
• file a criminal lawsuit.

According to Law No. 6769, persons whose rights are being violated may:

• file a civil lawsuit regarding probable infringement;
• file a civil lawsuit to cease infringement;
• file a civil lawsuit regarding the removal of infringement and request compensation; or
• request for necessary precautions to be taken.

COMPETITION 

Sector-specific issues

37. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There are significant duties levied upon financial institutions regarding the duty of confidentiality within Turkish legislation, namely the Banking Law, the Turkish Commercial Code, the Turkish Criminal Code and the Personal Data Protection Law. This duty limits the sharing of data in a manner that would be considered as promoting competition. The Report on Financial Technologies in Payment Services, which was published on 8 December 2021, emphasized the importance of making maximum use of the radical transformation in the financial sector in Turkey and revealed the necessity of inter-institutional cooperation in this field focused on the issues supporting the development of financial technologies, exclusionary actions of established enterprises, regulatory framework, market dynamics and market entry of large technology companies.

Also, pursuant to Communiqué No. 2022/2 on the Amendment of Communiqué No. 2010/4 (Communiqué No. 2010/4) on the Mergers and Acquisitions Subject to the Approval of the Competition Board (the Amendment Communiqué) published in the Official Gazette of 4 March 2022, the Turkish merger control thresholds have been raised and those exceeding certain thresholds will have to obtain permission from the Competition Board. However, the Competition Authority has clarified that it wishes to review the transactions of fintech and software companies as well as digital platforms regardless of whether they exceed the set thresholds or not.

TAX

Incentives

38. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There exists a variety of tax incentives that are applicable to entities that are active in the technology industry, albeit these incentives are not exclusive to the fintech industry and under most circumstances, an entity’s entitlement to these incentives requires that a sectoral analysis of the applicant be performed on a case-by-case review.

According to Law No. 4691 on Technology Development Zones, the fintech companies located in technoparks can benefit from numerous tax incentives, including exemption from corporate tax, income tax and value added tax. The exemption application for the research and development design and support personnel working in the Technology Development Zone was amended with the Amendment Law on Technology Development Zones, which was published in Official Gazette No. 31384 of 3 February 2021. In parallel with the practice implemented in research and development centers, the minimum living allowance is arranged in such a way that the remaining tax amount after deducting the tax corresponding to the minimum wage exemption is deducted from the tax accrued on the concise declaration to be submitted. Further, under the same law, a taxpayer whose primary place of business is located within a designated tech zone shall be excluded from the duty of paying corporate tax and income tax until 31 December 2028 with the Amendment Law.

According to Presidential Decree No. 2834, published in the Official Gazette of 8 August 2020, the rate of bank and insurance transactions tax (BITT) is applied as five percent in foreign exchange sales to foreign resident organizations that perform at least one of the activities accepted as a financial institution activity in accordance with Banking Law No. 5411.

Increased tax burden

39. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

A new digital service tax was introduced with the Law on the Digital Service Tax and Amendments on Certain Laws and Decree No. 375, published in the Official Gazette of 7 December 2019. Revenue gained from the activities that fall under the definition of digital services and intermediary services provided in the digital environment shall be subject to digital service tax. Taxpayers exceeding a revenue threshold of €750 million in global revenue and 20 million Turkish liras in local revenue will be subject to a digital service tax at a rate of 7.5 percent.

Also, the transactions carried out by the fintech companies that fall within the scope of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions are subject to BITT at a rate of 5 percent in general (although some transactions are subject to 1 percent or zero percent BITT).

IMMIGRATION

Sector-specific schemes

40. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There is no specific immigration scheme for fintech businesses to recruit staff from abroad. However, in the Turkish legal framework, there are several laws and regulations for immigration schemes to recruit skilled staff from abroad.

The main regulations are:

• the Turkish Citizenship Law;
• the Law on Foreigners and International Protection;
• the International Labor Law;
• the Law on Work Permits for Foreigners; and
• the Law on Residence and Travel of Foreigners in Turkey.

Persons that provide significant investment and employment opportunities or are expected to provide significant improvements to the technology and sciences sector, can receive Turkish citizenship under the Turkish Citizenship Law.

As for work permits, industries that require specific expert employment or a qualified executive candidate be appointed to director positions, auditor positions that require the supervision of technical and administrative standards, or any other personnel that might be classified as key personnel will be eligible to receive a residency and work permit.

UPDATE AND TRENDS IN FINTECH IN TURKEY

Current developments

41. Are there any other current developments or emerging trends to note?

A developing fintech industry exists in Turkey. Pursuant to the Turkey Fintech Guide 2023, published by the Presidency of the Republic of Turkey Finance Office, Turkey has received a start-up investment of US$1.6 billion in 2022, ranking 10th in Europe and third in the MENA, which was invested in 300 start-ups, out of which the fintech industry received the highest number of investments with 34 deals.

As a significant development, the Regulation Amending the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (Decision No. 6702) was published, and the limit for certain institutions such as banks, institutions other than banks authorized to issue debit cards or credit cards, financing and factoring companies and financial leasing companies’ obligation to check their customers’ identities has been raised to 185,000 Turkish liras or more.

As per developments on asset management companies, the Communiqué on Portfolio Management Companies and Activities of Such Companies (III-55.1) issued by the Capital Markets Board has been amended as per the Communiqué (III-55.1.d) (Amending Communiqué), published in the Official Gazette of 18 February 2023. The Amending Communiqué introduced the concept of sub-portfolio management, which includes a contract to be signed between institutions or asset management companies authorized for portfolio management abroad for sub-portfolio management. Within the framework of this agreement, it refers to the activity of managing a certain portion or all of the portfolio of the portfolio manager by the sub-portfolio manager.

In terms of artificial intelligence (AI), the Regulation on the Structure and Activities of the Türkiye Health Data Research and Artificial Intelligence Applications Institution was published in the Official Gazette of 12 March 2022. With the Regulation, the establishment, structure, duties, authorities, working principles and procedures of the Türkiye Health Data Research and Artificial Intelligence Applications Institute have been regulated. This Regulation aims to increase the use of health data and AI in Turkey as well as conducting and supporting scientific and technological research in this context; and provide financial or scientific support to, coordinate and monitor research and development activities to be carried out on the use of AI and health data.

Another important development in Turkey’s fintech ecosystem is regarding the insurtech field. The Regulation on the Provision of Remote Health Services (Regulation), which entered into force upon its publication in the Official Gazette of 10 February 2022, regulates the procedures and principles regarding the scope of remote health services, the authorization of healthcare facilities that will provide remote health services, the development and registration of remote health information systems, and the inspection of healthcare facilities within this scope.

There were also developments in the cloud computing area. Pursuant to the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services, the Central Bank of the Republic of Turkey published the Guidelines on External Service Providers Offering Community Cloud Services (Guideline) in July 2022, which brings requirements on external service providers wishing to offer services through the community cloud service model.

Last, The Banking Sector Good Practices Guide on the Protection of Personal Data was published by the Personal Data Protection Authority on 5 August 2022, specifically on the subject of open banking systems. The Guide contains general explanations regarding the procedures and principles that banks must comply with in the field of personal data protection and the obligations to be fulfilled.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

LEGAL CONSULTING SERVICES

090.252.4567

HÃY CLICK ĐỂ LẠI SĐT CHÚNG TÔI SẼ GỌI NGAY CHO BẠN MIỄN PHÍ

NT INTERNATIONAL LAW FIRM

• Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
• Phone: 090 252 4567
• Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam