Payment Services Regulation in Turkey: Licensing, Operations, and Supervisory Framework

Introduction

Turkey's payment services regime was built incrementally upon Law No. 6493 of 2013. The principal instrument shaping daily sector operations is the Regulation on Payment Services, Electronic Money Issuance, and Payment Service Providers published in the Official Gazette No. 31676 on 1 December 2021. The Regulation elaborates on licensing application stages, minimum capital requirements, internal systems, open banking, customer fund safeguarding, and information technology infrastructure.

This article addresses the architecture of the 2021 Regulation, the licensing process stages, and practical prioritization for prospective payment institutions and electronic money institutions.

Legal Architecture and Actors

Law No. 6493 divides the payment ecosystem into three principal categories:

• Payment institutions — companies providing payment services such as money remittance, transfers, bill collection, card acceptance, and account services.
• Electronic money institutions — companies issuing electronic money and conducting transactions on electronic money balances.
• Payment service providers — the general framework encompassing all institutions, including banks, that provide payment services.

Regulatory and supervisory authority is concentrated in the CBRT. Through the 2021 regulation amendment, the secondary framework for payment services — licensing, operating permit, compliance, information technology, and reporting — was consolidated under a single regulation.

Convergence with EU PSD2

The 2021 Regulation incorporates provisions that meaningfully converge with the EU's PSD2 (2015/2366). In particular, open banking, strong customer authentication, and transaction notification may be regarded as the Turkish version of the PSD2 framework.

Operating Permit Application Process

A clear structure introduced by the 2021 Regulation divides the operating permit process into two stages:

First stage: preliminary examination

The company applies to the CBRT for preliminary examination. Key documents examined at this stage include:

• Company articles of association and ownership structure,
• Sources of capital and financial documentation of shareholders,
• Professional, financial, and reputational fitness of managers (qualifications of founding partners),
• Definition and business model of payment services to be provided,
• Basic design of the risk management framework,
• Summary of technology infrastructure.

The Bank's affirmative response in the preliminary examination is a prerequisite for advancement to the second stage.

Second stage: final approval

At the final approval application stage, the company is expected to be duly incorporated or to have prepared relevant agreements. Additional documents examined include:

• Evidence that minimum capital has been paid in cash without simulation,
• Confirmation that initial capital and minimum equity requirements are met,
• Establishment of internal audit, risk management, and compliance units,
• Evidence that information technology infrastructure meets technical requirements specified in the Regulation,
• Method of fund safeguarding (separate account, bank guarantee letter, or insurance),
• Customer agreements, complaint management procedures,
• MASAK compliance program.

Following final approval, the company may commence payment service provision; activity conducted prior to approval is deemed unlicensed and subject to sanctions.

Minimum Capital Requirements

The 2021 Regulation establishes different capital tiers depending on the payment services offered:

• For bill payment intermediation and similar limited services, minimum 1,000,000 TL,
• For other payment services, minimum 2,000,000 TL,
• For electronic money issuance, minimum 5,000,000 TL.

These figures were set at the date of Regulation publication and may be updated in the future; current amounts must be verified from CBRT announcements prior to application. Additionally, minimum equity requirements calculated based on the company's annual transaction volume establish an additional framework beyond initial capital.

Customer Fund Safeguarding

Payment institutions and electronic money institutions are obligated to keep customer funds segregated from their own assets. The 2021 Regulation provides three alternative safeguarding methods:

1. A dedicated account held at a bank for customer funds, segregated from the company's operating accounts,
2. Bank guarantee letter,
3. Insurance agreement for this purpose.

Whichever method is chosen, customer fund protection must be guaranteed in cases of insolvency, attachment (writ of execution), or financial distress. This is the cornerstone of payment institutions' reliability.

Open Banking and Third-Party Providers

The 2021 Regulation governs the categories of payment initiation service providers (PISP) and account information service providers (AISP) for open banking. These actors may, with customer authorization, access the customer's bank accounts to initiate transactions or obtain account statements.

For open banking to function in practice:

• Banks must provide open API access to PISPs and AISPs,
• Strong customer authentication (SCA) must be implemented,
• Transaction approval processes must comply with technical standards.

In Turkey, this framework is implemented with technical standards parallel to, but not identical with, PSD2's RTS.

Information Technology Infrastructure and Cloud Usage

The 2021 Regulation imposes concrete requirements on payment service providers' information technology infrastructure:

• Storage of transaction data in domestic servers within Turkey is the rule,
• Storage of certain data abroad is permitted only with CBRT approval or exemption,
• Notification to the CBRT prior to outsourcing and approval in certain circumstances is mandatory,
• Disaster recovery plans and business continuity management,
• Cybersecurity audits (including independent penetration testing) are conducted periodically.

Payment institutions working with cloud providers must manage data transfer and access security jointly under the frameworks of both the CBRT, the Turkish Data Protection Law (KVKK), and MASAK.

Compliance and MASAK

Payment institutions and electronic money institutions are recognized by MASAK as financial institutions. This entails AML/CFT obligations at the same level as banks:

• Appointment of a compliance officer,
• Risk-based customer identification program,
• Suspicious transaction reporting system,
• Sanctions list screening,
• Record-keeping and retention for 8 years,
• Regular training and internal audit.

For electronic money institutions, MASAK audits are intensive due to their high-volume and fast-paced transaction structures.

Practical Prioritization for Payment Institutions

For payment institutions seeking to obtain an operating permit or maintain an existing license, the recommended prioritization order is:

• Stage 0 — Strategy: Clear definition of payment services to be provided, alignment with PSD2 and Law No. 6493 definitions, minimum capital and equity planning.
• Stage 1 — Corporate structure: Company incorporation, ownership structure, competency documentation of founding partners, articles of association design.
• Stage 2 — Internal systems design: Organization of internal control, risk management, internal audit, and compliance units.
• Stage 3 — Information technology infrastructure: Domestic server strategy, cloud usage approvals, cybersecurity testing, business continuity.
• Stage 4 — Legal framework: Customer agreements, privacy policy, complaint management procedures, fund safeguarding method agreements.
• Stage 5 — Preliminary examination application to the CBRT.
• Stage 6 — Final approval application and commencement of operations.
• Stage 7 — Ongoing compliance: annual reporting, independent penetration testing, MASAK training and audits, Turkish Data Protection Law (KVKK) compliance.

The process typically spans 12–24 months. Joint collaboration between legal and technical teams prior to application is decisive in preventing the application from being returned at the first stage.

Conclusion

The CBRT's 2021 Regulation has transitioned Turkey's payment sector to a framework converging with international practice and rendered it documentable and auditable. The regime provides licensees with a predictable foundation; in turn, the expectations for compliance cost and operational discipline are high. Managing the CBRT, MASAK, Turkish Data Protection Law (KVKK), cybersecurity, and — at points of contact with cryptoassets — Capital Markets Board regulations together has become an inevitable governance practice in the medium term.

Legal and compliance teams must sit together with business teams and monitor regulatory announcements (CBRT policy decisions, MASAK circulars, Board guidance) in real time; the framework should be remapped at least once annually. When this rhythm is established, a resilient structure is achieved in terms of both sanction risk and business continuity.