Introduction
Open banking is one of the most important legal and technological developments in the Turkish fintech market. It allows authorized third-party providers to access payment account information or initiate payment transactions through secure digital channels, usually based on customer consent and regulated technical infrastructure. In practice, open banking can help consumers compare financial products, manage accounts from different institutions, initiate payments more efficiently, access personal finance tools, and receive more customized financial services.
For fintech companies, banks, payment institutions, electronic money institutions, software providers, and foreign platforms entering Turkey, open banking creates significant business opportunities. However, these opportunities come with serious legal and compliance challenges. Open banking is not simply an API integration project. It is a regulated financial activity involving payment services law, banking regulation, information systems security, customer authentication, personal data protection, AML compliance, contractual liability, and consumer protection.
Turkey’s open banking framework is primarily connected to Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, which regulates payment services, payment institutions, and electronic money institutions. The Central Bank of the Republic of Türkiye, known as the CBRT or TCMB, states that payment services regulation and supervision in Türkiye are governed by Law No. 6493 and related secondary legislation.
Open banking also intersects with banking information systems rules. The Banking Regulation and Supervision Agency, known as the BRSA or BDDK, regulates information systems and electronic banking services of banks. The BRSA regulation on information systems and electronic banking services sets minimum procedures and principles for banks’ information systems, electronic banking services, risk management, and information systems controls.
This article explains the legal framework of open banking in Turkey, the roles of payment initiation service providers and account information service providers, regulatory obligations, customer consent, data protection, cybersecurity, AML risks, contractual liability, and practical compliance challenges for fintech companies.
What Is Open Banking?
Open banking refers to a regulated model where financial institutions make certain customer account data or payment functions accessible to authorized third-party providers through secure digital channels, usually APIs. The customer remains at the center of the process. In a proper open banking structure, customer account data or payment initiation functions should not be accessed without authorization, consent, and security controls.
Open banking generally includes two core services:
Account information services, where an authorized provider accesses and presents information from a customer’s payment accounts.
Payment initiation services, where an authorized provider initiates a payment transaction from the customer’s payment account upon the customer’s instruction.
For example, a personal finance application may allow users to see balances from multiple banks in one dashboard. A merchant payment solution may allow customers to initiate a bank transfer directly instead of using a card. A business finance platform may aggregate account movements from different banks to help SMEs manage cash flow. These services may appear simple to users, but legally they involve regulated access to payment accounts and sensitive financial data.
The main legal issue is whether the company is merely displaying information provided manually by the customer or whether it is accessing regulated account data or initiating payment transactions through open banking infrastructure. If the service involves account information or payment initiation within the meaning of Turkish payment services regulation, authorization and compliance obligations may arise.
Legal Framework of Open Banking in Turkey
Open banking in Turkey is built on several legal sources. The most important framework is Law No. 6493, which regulates payment services, payment institutions, electronic money institutions, and payment systems. The CBRT’s annual reports confirm that payment initiation and account information services were included among payment services following the 2019 update to Law No. 6493.
The second layer is the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, together with the Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services. The CBRT states that these secondary regulations were published in the Official Gazette No. 31676 dated 1 December 2021 and entered into force as part of the regulatory framework for payment and electronic money institutions.
The third layer is banking regulation. Banks providing electronic banking services must comply with the BRSA’s information systems and electronic banking services rules. These rules are relevant because open banking services often rely on secure digital access channels, APIs, authentication mechanisms, and customer instruction flows.
The fourth layer is personal data protection law. Open banking involves sensitive financial information, including account balances, transaction history, payment details, customer identity information, device data, and authentication records. Therefore, Law No. 6698 on the Protection of Personal Data, known as the KVKK, must be considered in every open banking model.
The fifth layer is anti-money laundering and counter-terrorist financing law. If open banking is used to initiate payments, onboard customers, monitor account activity, or support financial transactions, MASAK obligations may become relevant depending on the role of the provider and the regulated status of the institution.
Key Actors in Open Banking
Open banking usually involves several actors. Understanding their legal roles is essential.
The first actor is the account servicing payment service provider. This is the institution that holds the customer’s payment account. It may be a bank, payment institution, or another payment service provider that maintains payment accounts accessible online.
The second actor is the account information service provider. This provider accesses customer account information and presents it to the customer or uses it to provide financial management services. It does not necessarily move money, but it handles sensitive financial data.
The third actor is the payment initiation service provider. This provider initiates a payment transaction from the customer’s payment account upon customer instruction. It may be used in merchant payments, invoice payments, e-commerce flows, and account-to-account payment solutions.
The fourth actor is the customer. Open banking should be based on customer control. The customer decides whether to grant access, what data may be shared, and whether a payment should be initiated.
The fifth actor is the technical infrastructure provider. In Turkey, the open banking infrastructure is connected with centralized systems and integration obligations involving the Interbank Card Center, known as BKM. CBRT materials explain that data sharing service flows were introduced through work conducted under BKM coordination.
A legally sound open banking structure must clearly define these roles. If the parties are unclear about who holds the account, who accesses data, who initiates the payment, who obtains customer consent, and who is liable for errors, the model may create regulatory and civil liability risks.
Payment Initiation Services
Payment initiation services allow a third-party provider to initiate a payment transaction from a customer’s payment account upon the customer’s instruction. This can be commercially attractive because it may reduce dependence on card networks, support direct account-to-account payments, and improve merchant payment flows.
However, payment initiation is a regulated activity. A company that initiates payment transactions should not assume that it is merely offering software. If it sends instructions to a payment account provider, triggers a transfer, or controls the customer-facing initiation process, payment services regulation may apply.
Payment initiation services raise several legal questions:
Is the provider authorized to offer payment initiation services?
How is the customer’s consent obtained?
How is strong customer authentication applied?
Who is responsible if the payment is incorrectly initiated?
How is fraud detected?
Can the customer cancel the payment?
How are payment confirmations sent?
What records are retained?
How are customer complaints handled?
Who is liable for unauthorized transactions?
Payment initiation services can be valuable for e-commerce, bill payment, business payments, and instant account-to-account transactions. Yet they require a strong legal and technical foundation.
Account Information Services
Account information services allow an authorized provider to access and present information from one or more payment accounts. This may support personal finance management, budgeting, credit analysis, accounting automation, cash-flow management, SME finance tools, and financial comparison platforms.
Although account information services may not involve direct transfer of money, they involve sensitive financial data. A customer’s account history can reveal income, spending habits, business relationships, health-related payments, travel patterns, debt obligations, and commercial activity. Therefore, privacy, consent, data minimization, cybersecurity, and contractual transparency are essential.
Account information service providers should address:
What account data is accessed?
For what purpose is the data used?
How long is the data stored?
Can the data be used for credit scoring or marketing?
Can the data be shared with third parties?
How can the customer revoke access?
How is data protected against unauthorized access?
What happens after the customer terminates the service?
Open banking data should not be treated as freely reusable commercial data. Even if the customer authorizes account access, the provider must still comply with data protection principles and purpose limitation.
BKM Integration and 2025 Developments
Turkey’s open banking infrastructure has developed through regulatory deadlines and technical integration requirements. According to legal updates on the March 2025 amendments, payment service providers holding payment accounts related to open banking services were initially required to connect to BKM and provide necessary systems and support to authorized providers offering open banking services by 31 March 2025. The 2025 amendment narrowed the obligation so that it applies to payment service providers that hold payment accounts and also provide customers with direct online access to those accounts.
This amendment is important because not every payment service provider holding payment accounts is automatically subject to the same open banking infrastructure obligation. The service profile matters. Providers that give customers direct online access to payment accounts are more likely to fall within the relevant obligations.
Legal commentary on the 2025 framework also notes that the compliance period was extended to 31 December 2025 for certain open banking integration obligations.
For fintech companies, these developments show that open banking compliance in Turkey is not static. Technical integration deadlines, API standards, certification requirements, and scope definitions may change. A company planning to launch open banking services must review the current regulatory position before product launch.
Customer Consent in Open Banking
Customer consent is one of the foundations of open banking. Without proper consent, access to account information or initiation of payment transactions may be unlawful. However, consent in open banking should not be treated as a simple checkbox. It must be specific, informed, clear, and technically verifiable.
A proper consent process should explain:
Which provider will access the account
Which account will be accessed
What data will be accessed
Whether the service is account information or payment initiation
How long the access will last
Whether recurring access is requested
How the customer can revoke consent
What security steps are required
How customer data will be processed
What fees may apply
Who is responsible for the service
The user interface is legally important. If consent language is hidden, confusing, bundled with unrelated terms, or presented in a misleading way, the provider may face legal challenges. In open banking, design is compliance. The app screen, consent journey, redirect flow, confirmation page, and notification system should all reflect legal requirements.
Strong Customer Authentication and Security
Open banking creates opportunities, but it also expands the attack surface for fraud. If a third-party provider can access account data or initiate payments, strong security controls are essential.
The BRSA regulation on information systems and electronic banking services sets minimum standards for information systems, electronic banking services, risk management, and information systems controls used by banks. For payment and electronic money institutions, the CBRT’s communiqué on information systems and data sharing services is also central. The CBRT confirms that this communiqué was introduced as part of the regulatory framework for payment and electronic money institutions and data sharing services.
Security obligations in open banking may include:
Strong customer authentication
Secure API communication
Encryption of data in transit and at rest
Access token management
Consent verification
Session management
Fraud monitoring
Transaction risk analysis
API rate limiting
Logging and audit trails
Incident response
Penetration testing
Business continuity planning
Vendor security controls
Open banking providers should also prepare for phishing, social engineering, account takeover, API abuse, credential theft, malware, session hijacking, and unauthorized payment initiation.
Data Protection and KVKK Compliance
Open banking is fundamentally a data-driven model. This makes KVKK compliance one of the most important legal challenges. Financial data can be highly sensitive even when it is not classified as special category personal data. Transaction history may reveal private life, commercial relationships, income level, debt status, spending behavior, political donations, union-related payments, health-related payments, or religious donations.
An open banking provider must identify its role under data protection law. Depending on the model, the provider may act as a data controller, data processor, or joint controller. The role analysis affects privacy notices, customer rights, legal basis, retention, breach notification, vendor contracts, and cross-border transfer obligations.
A KVKK-compliant open banking structure should include:
Clear privacy notices
Purpose limitation
Data minimization
Lawful basis analysis
Explicit consent mechanisms where required
Customer rights procedures
Retention and deletion policies
Data processing agreements
Cross-border transfer review
Access controls
Security measures
Breach response plans
Vendor and subcontractor controls
A common mistake is using open banking data for unrelated purposes. For example, a personal finance app may collect account data to show the customer spending analytics. If the same data is later used for targeted advertising, credit scoring, partner marketing, or resale to third parties without proper legal basis, serious KVKK risk may arise.
AML and KYC Issues in Open Banking
Open banking also affects anti-money laundering and know-your-customer compliance. Depending on the business model, open banking data may help financial institutions understand customer behavior, detect suspicious transactions, verify income, or assess transaction patterns. However, it may also create AML risks if payment initiation is used to move funds rapidly or if account aggregation tools are abused by fraudsters.
MASAK’s legal framework under Law No. 5549 regulates the prevention of laundering proceeds of crime, suspicious transaction reporting, information and document obligations, record retention, training, internal controls, risk management, and compliance programs.
Open banking providers should consider AML questions such as:
Is the provider an obliged party under MASAK rules?
Does the service involve payment initiation?
Can the service be used to move funds rapidly?
Are customer identities verified?
Are beneficial owners identified for business customers?
How are suspicious patterns detected?
Can account data support risk scoring?
How are suspicious transactions escalated?
Are records retained for regulatory review?
How is customer data protected during AML analysis?
For payment initiation services, transaction monitoring and fraud detection are especially important. A provider that initiates payments without proper risk controls may become exposed to fraud, unauthorized transaction claims, or suspicious transaction concerns.
Open Banking and Competition
Open banking may increase competition in the financial sector by reducing customer dependence on a single bank interface. When customers can securely share account data with authorized providers, fintech companies can build comparison tools, budgeting apps, alternative scoring systems, merchant payment solutions, and SME finance dashboards.
From a competition perspective, open banking can reduce data monopolies and support innovation. It may allow smaller fintech companies to compete with large banks by offering better user experience, better analytics, lower-cost payment flows, and customized services.
However, competition benefits depend on fair access, secure standards, reasonable technical requirements, and non-discriminatory treatment of authorized providers. If technical access is unreliable, delayed, or commercially restricted, open banking may not achieve its full market potential.
The OECD’s 2025 note on competition in mobile payment services stated that competition in the payments domain is no longer limited to traditional banking actors and has become more diversified. Open banking is one of the regulatory and technological mechanisms that supports this diversification.
Commercial Opportunities in Open Banking
Open banking creates many business opportunities in Turkey. Potential use cases include:
Personal finance management applications
Multi-bank account dashboards
SME cash-flow management tools
Automated accounting integrations
Account-to-account merchant payments
Invoice payment automation
Creditworthiness analysis
Income verification
Subscription payment management
Wealth management dashboards
Expense categorization
Budgeting tools
Embedded finance services
Bank-fintech partnership products
Alternative lending support tools
For SMEs, open banking may be especially valuable. Many small businesses use multiple bank accounts, payment providers, card terminals, e-commerce platforms, and accounting systems. Open banking can help consolidate financial data and automate cash-flow analysis.
For consumers, open banking may improve control over personal finances. Users may view all accounts in one app, compare financial products, track spending, and authorize payments more easily.
For banks, open banking can be both a challenge and an opportunity. Banks may face competition from fintech interfaces, but they can also develop partnerships, API-based products, and embedded finance models.
Relationship Between Open Banking and Banking-as-a-Service
Open banking and Banking-as-a-Service are related but different concepts.
Open banking generally involves regulated access to account data or payment initiation based on customer consent. It allows authorized third-party providers to interact with customer accounts held by banks or payment service providers.
Banking-as-a-Service, or BaaS, involves a licensed bank providing banking services through the interface of another company. In BaaS, the service bank remains the regulated provider of the banking service, while the interface provider offers the customer-facing channel.
The BRSA’s digital banking regulation governs Banking-as-a-Service and branchless banking models. Open banking may be used within or alongside BaaS structures, but the legal analysis is different. A fintech company may be an account information service provider, payment initiation service provider, BaaS interface provider, payment institution, electronic money institution, or technical service provider depending on its actual role.
A fintech company should not assume that one authorization covers all models. A BaaS interface provider may still need payment services authorization if it separately provides payment initiation or account information services.
Liability in Open Banking
Liability is one of the most complex issues in open banking. When something goes wrong, several parties may be involved: the customer, the account servicing provider, the account information service provider, the payment initiation service provider, the API infrastructure provider, and possibly a merchant.
Disputes may arise from:
Unauthorized payment initiation
Incorrect payment amount
Wrong beneficiary
Failed or delayed payment
Incorrect account information
Data breach
Consent dispute
Customer authentication failure
API outage
Fraudulent account access
Misleading user interface
Unlawful data sharing
Service interruption
Duplicate transactions
Incorrect transaction categorization
A strong open banking contract structure should allocate responsibility between the parties. However, consumer protection and mandatory financial regulation may limit how liability can be shifted. Customer-facing terms should be clear and fair.
Evidence is crucial. Providers should retain logs showing customer consent, authentication steps, API calls, transaction instructions, timestamps, IP addresses, device information, error messages, and customer notifications. In litigation or regulatory review, these records may determine liability.
Cross-Border Open Banking Services
Foreign fintech companies may be interested in offering open banking products to Turkish users. However, cross-border models require careful legal analysis.
A foreign company may trigger Turkish regulatory requirements if it:
Targets Turkish customers
Uses Turkish-language marketing
Connects to Turkish payment accounts
Initiates payments from Turkish accounts
Aggregates Turkish bank account data
Works with Turkish banks or payment institutions
Processes Turkish customer data abroad
Offers customer support in Turkey
Charges fees to Turkish users
Uses Turkish payment infrastructure
Foreign authorization may not be sufficient to operate in Turkey. A company licensed in another jurisdiction should review whether Turkish authorization, local incorporation, CBRT permission, data transfer compliance, MASAK obligations, or local partnership arrangements are required.
Cross-border data transfers are also sensitive under KVKK. Open banking data should not be transferred abroad without proper legal basis and compliance with applicable transfer rules.
Common Compliance Challenges
Open banking providers in Turkey face several practical compliance challenges:
Determining whether the service is regulated
Obtaining appropriate authorization
Connecting to required infrastructure
Meeting API and security standards
Managing customer consent properly
Aligning UX design with legal disclosures
Protecting personal data under KVKK
Preventing unauthorized access
Handling AML and fraud risks
Maintaining transaction and consent records
Coordinating liability with banks and payment providers
Responding to customer complaints
Managing vendor and cloud risks
Monitoring regulatory changes
Avoiding misleading marketing claims
The biggest mistake is treating open banking as a purely technical integration. Open banking requires legal, compliance, technical, cybersecurity, data protection, product, and customer support teams to work together.
Practical Compliance Checklist for Open Banking in Turkey
A fintech company planning to offer open banking services in Turkey should consider the following checklist:
Classify the service as account information, payment initiation, technical service, BaaS, or another model.
Determine whether CBRT authorization is required.
Review Law No. 6493 and applicable CBRT secondary legislation.
Assess whether BRSA banking information systems rules are relevant.
Confirm whether the company must connect through BKM infrastructure.
Review current integration and compliance deadlines.
Design customer consent flows clearly.
Implement strong customer authentication.
Prepare API security and information systems controls.
Map all data flows.
Prepare KVKK privacy notices and data processing agreements.
Review cross-border data transfer risks.
Establish AML and fraud monitoring where relevant.
Draft customer terms and provider agreements.
Allocate liability for errors, delays, fraud, and outages.
Prepare complaint handling procedures.
Retain consent, authentication, and transaction logs.
Review vendor and outsourcing contracts.
Test incident response and business continuity plans.
Monitor CBRT, BRSA, MASAK, KVKK, and BKM updates continuously.
This checklist should be adapted to the exact business model. An account aggregation app, payment initiation provider, SME accounting platform, merchant payment solution, and BaaS interface provider will not have identical obligations.
Why Legal Support Is Important
Open banking projects require legal support because they combine financial regulation, banking law, data protection, cybersecurity, AML, technology contracts, consumer protection, and commercial strategy.
A fintech lawyer can assist with:
Regulatory classification
Payment initiation authorization analysis
Account information service compliance
CBRT licensing strategy
BKM integration legal review
Customer consent design
KVKK compliance
API and outsourcing contracts
Bank partnership agreements
Liability allocation
AML and fraud risk analysis
Consumer terms drafting
Cross-border market entry
Regulatory correspondence
Dispute resolution and litigation
Legal support should begin before development is complete. In open banking, legal requirements affect technical design. Consent screens, API architecture, data retention, authentication, customer notifications, and complaint workflows all have legal consequences.
Conclusion
Open banking in Turkey offers major opportunities for fintech innovation, competition, financial inclusion, customer experience, and embedded finance. It can help consumers and businesses access better financial tools, allow fintech companies to build new services, and encourage banks to develop API-based partnerships.
However, open banking is a regulated activity. It is not merely data sharing, screen scraping, or software integration. Payment initiation services and account information services may require authorization and must comply with CBRT rules, banking information systems requirements, customer consent principles, KVKK, cybersecurity standards, AML obligations, and consumer protection rules.
The most important legal principle is that the customer must remain in control. Account access, data sharing, and payment initiation should occur only through transparent, secure, authorized, and auditable processes.
For fintech companies entering the Turkish market, open banking can be a powerful opportunity. But the business model must be structured carefully from the beginning. Companies that combine strong technology with sound legal compliance will be better positioned to build trust, secure partnerships, satisfy regulators, protect customer data, and scale sustainably.
Open banking is not only a technological trend. It is a legal infrastructure for the next stage of digital finance in Turkey.
Yanıt yok