Open Banking doesn't just happen because regulations enforce it, it's commercially embraced as an opportunity to make a nation's financial infrastructure more efficient, more resilient, and better serve customers. We look forward to the opportunities it will bring to the economy and society as a whole. Open Banking Implementation Entity the 'OBIE' Implementation Auditor Imran Gulamhuseinwala, UK
The success of innovation in payment systems for Fintech organizations depends on analyzing the demand for technology and preparing for it, in line with the wishes of the users. Therefore, it is foreseen that fintech institutions that work and produce services by listening to their users in the development of financial processes and the facilities to be provided will achieve permanence in the financial world. According to the 'Pulse of Fintech H2 2020' report published by KPMG, 105.3 billion dollars of fintech investments were made in the world in 2020. According to the data published by the Presidential Finance Office only for 2021, the number of fintech companies that are actively operating has reached 520. When we examine the year 2021, the investment made in the fintech sector reaches 64 million dollars. While the number of unicorns, which was 563 in 2020, reached 832 in 2021, it is seen that 162 of these companies are fintech companies and the sector that produces the most unicorns in financial technologies. The 'open banking' technology, which is the subject of our article, stands out as one of the most important developments that design the future of the financial sector.
What is in the system and how does it work?
In the open banking system, 'Account Information Service Providers (AISP)', institutions that collect financial data, and customers can perform their financial transactions in their accounts in different banks on a single platform. In this way, customers who can collect their financial data in one place can have more control over their own data. For example, BNP Paribas, in cooperation with the Tink company, enables customers to view their accounts in other banks from the Easy Banking application. With this system, BNP Paribas customers can add their accounts in Belfius, ING, and KBC banks in Belgium. When we examine the examples in our country, we see that Türkiye İş Bankası implements the open banking system with TekCep -TekPOS applications developed for its legal customers and initiatives such as Vomsis, Finmaks, and Finstant.
Payment Initiation Service Providers (PISP), on the other hand, act as agents that mediate authorized third-party companies to make online payments without the need for customers to use a credit or debit card. They manage the payment between them. Companies with this authorization will be able to initiate a payment process on behalf of the customer and then withdraw money directly from the customer's account with the approval of the customer. If the customer has more than one account, the account from which the money will be withdrawn will be determined by the customer.
What are the advantages?
Fintech institutions and banks aim to be the largest financial application both at home and abroad as a financial super-app. In our publication series, we have explained with examples the many financial experiences offered to customers by both banks and fintech institutions. The most effective model among these financial applications, 'open banking', is a business model that enables customers to manage their data and financial lives more actively, and to access services that suit their needs as a whole from different platforms at lower fees. The Application Programming Interface (API) agent is needed for this access to work securely. With this interface, two different applications work in integration with each other, and data exchange is provided. Under the restrictions stipulated by the legislation, different products and services will be offered for each customer by using the information such as regular bill payments, limit and expenditure information, applied loans, and money transfers of customers recorded in banks' systems, by third party companies through APIs. An example of this is the recommendation of banks and fintech companies that do not charge or have low EFT fees to a bank customer who transfers a lot of money. Again, to the extent permitted by law, banks will be presented to customers by transferring and analyzing their own financial data and showing loan products with appropriate interest rates and maturity options according to the income and expenses of the users. Thus, customers will be able to view the products and services offered by each bank and determine the most suitable financial actor for their budget by comparing them. For example, platforms such as BiriKredi, Finekra, Kredya, and Accountkurdu allow customers to compare the loan rates offered by banks. In this process, an application can also be developed, such as a listing bank or fintech applications that provide cashback for users' subscriptions such as Netflix, Spotify, and Blu Tv.
Now let's examine how the regulatory rules regarding open banking are shaped.
On what basis? What's happening in Turkey?
After the Payment Services Directive (Payment Services Directive 1; PSD1), which was implemented in the European Union in 2009, the regulatory infrastructure of open banking was created with the Payment Services Directive 2 (Payment Services Directive, PSD2), which ended in 2018 with the harmonization process. The basis of open banking in Turkey was regulated by Law No. 7192 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions with the amendment made to Law No. 6493 in 2019. As of 2020, legislative work gained momentum and open banking was defined with the Regulation on Information Systems and Electronic Banking Services of Banks. Accordingly, open banking is defined as an electronic distribution channel service where customers instruct the bank to perform or perform their banking transactions.
Banks operating in our country are held liable by the BRSA to take extremely strict security measures. While the CBRT was assigned to carry out studies related to open banking in Regulation and Law No. 6493, the authority to make regulations on issues other than financial and payment areas was given to the BRSA. Therefore, the BRSA and the CBRT were chosen as the regulatory and supervisory authorities for the open banking service.
On December 1, 2021, the CBRT published the communiqué and regulation as a guide for the account information service providers (AISP) and payment initiation service providers (PISP) explained above. The rules that must be followed in the performance of the services envisaged in the relevant legislation by organizations holding an operating license were specified. These rules are related to the business models and information systems to be developed by the organizations, and the deadline for compliance has been determined as 1 December 2022.
What does the Payment Services Directive 2 (PSD2) in EU Countries provide? How will users' financial data be protected?
As we mentioned above, with the Payment Services Directive 2 (PSD2), open banking service has entered our lives conceptually. In EU countries, it is obligatory to register with the European Banking Authority for the authorization and supervision of companies that will provide all account information services and payment initiation services. Apart from these, companies are also expected to provide liability insurance or a similar assurance, depending on the size of the activity, to ensure sustainability in the provision of these services.
In line with the permission of the customers, the Directive brings some regulations on data sharing between banks and third-party companies authorized for banking activities. From this point of view, we can say that perhaps the most striking regulation of PSD2 on open banking is that 'data sharing' is made compulsory without leaving it to the initiative of the banks. Therefore, PSD2 turns the open banking service into an obligatory practice within the EU countries, the framework of which is drawn by laws.
It is essential for a company that collects the financial data of customers in banks to be able to access it within the scope of customers' consent. Therefore, the phenomenon of 'data ownership' will belong to the customers at some point and the transactions will be carried out within the scope of the permission given by the customers. It should be especially noted that this access is limited to data such as balance information and account movements, not all the data of the customer at the bank. Thus, the data received from different banks are combined and presented to the customer, and this information is analyzed as stipulated in the law to provide some value-added services. However, if the data collection company's purpose of using the data is based on developing business models, additional consent from the customers is required for this. It is seen that there is no need to establish any contractual relationship between companies that collect financial data, companies that provide payment initiation services, and banks. Because bank customers now have the opportunity to access banking data from different platforms, these transactions can be carried out within the scope of the permission given by the customers.
When using customer financial data, both banks and third-party companies will have to comply not only with PSD2 but also with the rules in the General Data Protection Regulation (GDPR). GDPR stipulates the obligation of obtaining explicit consent from customers for the use of financial information, establishing systems for withdrawing this consent at any time, and providing detailed information on how and for what purpose this data will be used. To protect financial data, a regulation was also brought so that companies providing both services do not have absolute access to the passwords used by customers when logging into the bank system.
The Evaluation of the Situation in Turkey
Many services offered by third-party companies take place in our daily lives. For example, synchronous tracking of online orders placed by all of us as consumers on the map is realized by using Google APIs. The open banking ecosystem, on the other hand, allows the sharing of financial data of customers with third-party companies through these APIs, as explained above. With the exchange of these financial data, it is aimed to provide certain products and services to customers. In such a flow, the existence of legal regulations in our country is needed to prevent unauthorized access to the financial data of customers and to prevent data breaches. In this context, it will also be necessary to determine the rules under which financial data will be processed and transferred.
Based on the protections on personal data available in Turkey, both account information service providers (AISP) and payment initiation service providers (PISP) are required to obtain explicit consent from customers for the processing of their data. This express consent by the customers can be withdrawn at any time and will have the right to limit the scope of their consent. In addition to obtaining express consent, customer consent will also be required. However, it is still unclear how these rights will be exercised and how the customer's consent and approval will be obtained.
In PSD2, banks must share their financial data with third-party service providers in case of obtaining the consent of the customers, while there is no regulation in Turkish law regarding such data sharing obligation. We can say that this situation hinders the development of open banking in Turkey. For this, harmonization studies should be carried out in parallel with the EU legislation in Personal Data Protection Law. This compliance is valid not only based on Personal Data Protection Law, but also on the Banking Law. Because according to the Banking Law, explicit consent is not sufficient for the sharing of personal data. This regulation also undermines the function of the provisions regulating explicit consent in the Personal Data Protection Law, In addition, the BRSA has the authority to prohibit the sharing and transfer of customer data abroad, and a separate regulation should be made regarding this situation.
The Ideal Result: Coopetition and Rapid Regulatory Steps in Open Banking
Although open banking is interpreted as the last point of the financial sector; Since the banking sector is one of the areas where the impact of digitalization is felt most, technological developments and the classical banking understanding and culture will also benefit from the transformation. In the new digital era, customers prefer transparency-based service providers that make their lives easier and shape their preferences, rather than banks that only offer inward-looking products through their channels. For this, fintech should not be seen as a threat to banks, on the contrary, they should work in coordination for value-added services in the digital field with smart collaborations.
It is seen that the new open banking approach must be based on a competitive perspective. Financial actors need to increase their standards for APIs and develop new business models, and regulatory authorities need to take quick action to complete compliance processes.
By Onur Kucuk, Managing Partner, and Ezgi Anasiz, Associate, KP Law