Introduction
Financial data sharing is one of the most important legal and technological developments in the Turkish fintech ecosystem. Banks, payment institutions, electronic money institutions, digital wallets, investment platforms, insurance companies, credit providers, crypto asset service providers, and technology companies increasingly rely on data to offer faster, more personalized, and more integrated financial services. Customers now expect to see multiple accounts in one application, initiate payments through third-party interfaces, receive automated budgeting insights, compare credit offers, access investment dashboards, and manage financial products through a single digital environment.
This transformation is usually discussed under the title of open banking. However, the next stage is broader: open finance. Open banking primarily focuses on banking and payment account data, especially account information services and payment initiation services. Open finance goes further by extending data sharing to a wider range of financial products such as loans, insurance, investments, pensions, crypto assets, merchant data, tax-related financial data, and potentially broader personal financial management tools.
In Turkey, the legal framework is still more developed for open banking and payment data sharing than for full open finance. The most concrete statutory basis is found in Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, which was amended to include payment initiation services and account information services within the scope of payment services. The CBRT’s 2022 annual report explains that Article 12 of Law No. 6493 was amended to include payment initiation service and the service of presenting consolidated information regarding payment accounts on online platforms, collectively referred to as Data Sharing Services in the Field of Payments.
At the same time, financial data sharing in Turkey cannot be understood only through payment services law. It also involves bank secrecy, customer secrets, personal data protection, cybersecurity, outsourcing, API security, consumer protection, MASAK/AML rules, and sector-specific regulatory expectations. The BRSA’s Regulation on Information Systems and Electronic Banking Services defines open banking services and APIs within the banking information systems framework and sets minimum procedures and principles for banking information systems and electronic banking controls.
This article explains financial data sharing in Turkey, including open banking, open finance, API-based data sharing, customer consent, bank secrecy, KVKK compliance, cross-border transfers, data security, liability, and practical compliance steps for fintech companies and financial institutions.
1. What Is Financial Data Sharing?
Financial data sharing means the controlled transfer, access, use, or display of financial information between institutions, platforms, service providers, and customers. It may occur through APIs, banking applications, payment initiation systems, account information dashboards, data aggregators, embedded finance tools, credit scoring systems, financial management applications, or open banking interfaces.
Financial data may include:
Bank account balances
Payment account information
Transaction history
Loan repayment data
Credit card spending
Merchant turnover
Wallet balances
Payment initiation records
Investment portfolio data
Insurance policy information
Pension data
Crypto asset transaction records
Income and cash flow data
Invoice and receivable data
Tax-related financial information
Customer risk profile
Consent and authorization records
The legal risk arises because financial data is highly sensitive. It can reveal a person’s income, habits, debts, family relationships, medical expenses, political or religious spending, business health, creditworthiness, location patterns, and economic vulnerability. For businesses, financial data may reveal turnover, customer base, supplier relationships, cash flow, debt exposure, tax position, and commercial strategy.
Therefore, financial data sharing must be based on legal authority, customer instruction or consent where required, clear purpose limitation, strong security, and transparent responsibility allocation.
2. Open Banking in Turkey
Open banking generally refers to the secure sharing of banking or payment account data with authorized third-party providers, usually through APIs. It allows customers to access account information from different providers in one interface or initiate payments through third-party applications.
BKM describes open banking as the sharing of financial data with authorized third-party service providers in a secure environment, and states that Data Sharing Services in the Field of Payment include two essential services under the open banking framework: account information services and payment initiation services.
In Turkey, the open banking framework is closely tied to payment services law. The two key services are:
Account Information Service: A service that allows users to view consolidated payment account information through an online platform.
Payment Initiation Service: A service that allows a user to initiate a payment order from a payment account through a third-party provider.
These services are not ordinary software features. They are regulated payment services under Law No. 6493 when provided as defined by law. This means that fintech companies offering account aggregation or payment initiation must carefully review licensing, CBRT authorization, technical standards, data security, customer consent, and regulatory compliance.
3. Open Finance Beyond Open Banking
Open finance is broader than open banking. While open banking mainly concerns payment accounts and payment initiation, open finance may include a wider range of financial data and services.
Open finance may cover:
Bank account data
Payment account data
Credit and loan data
Mortgage data
Insurance policy data
Pension savings data
Investment portfolio data
Brokerage account data
Crypto asset account data
Merchant settlement data
E-commerce cash flow data
Tax and invoice data
Digital wallet data
BNPL repayment data
Financial planning data
The purpose of open finance is to give individuals and businesses more control over their financial data and allow authorized providers to deliver better financial services. For example, a small business may authorize a fintech platform to access bank account data, merchant settlement data, invoice data, and tax records to receive a better working capital offer. A consumer may authorize an app to analyze bank accounts, credit card spending, pension savings, and insurance policies to produce a full financial health dashboard.
However, Turkey’s current legal framework is not yet a comprehensive open finance regime covering all financial sectors equally. The clearest legal framework exists for payment data sharing services under Law No. 6493 and CBRT-related rules. Broader open finance projects must therefore be structured through existing laws on banking confidentiality, KVKK, sector-specific regulation, customer consent, contracts, and cybersecurity.
4. Payment Data Sharing Services
Payment data sharing services are the legal foundation of open banking in Turkey. The CBRT’s 2022 annual report explains that payment initiation and consolidated payment account information services were added to Article 12 of Law No. 6493 and defined as payment services.
BKM identifies these services as Data Sharing Services in the Field of Payment and explains that they are essential services within the open banking framework.
This means that a fintech company providing account information services or payment initiation services may need authorization as a payment institution from the CBRT. Legal commentary on the CBRT’s data sharing services guideline also notes that payment institutions providing account information and payment initiation services are required to obtain operating licenses from the CBRT.
Payment data sharing services must address:
Customer authorization
Secure API access
Strong authentication
Data minimization
Transaction security
Access revocation
Consent records
Regulatory reporting
Incident response
Customer complaints
Liability for failed or unauthorized transactions
A company should not present account aggregation or payment initiation as a simple “screen scraping” or “data dashboard” service. If it falls within the legal definition of payment services, licensing and CBRT compliance become central.
5. APIs and Technical Infrastructure
APIs are the technical backbone of open banking and open finance. An API allows one system to access certain functions or data of another system in a controlled, standardized, and secure way.
The BRSA information systems regulation defines API within the banking framework and regulates open banking services as part of electronic banking services and information systems controls. The regulation’s purpose is to set minimum procedures and principles for banks’ information systems, electronic banking services, related risks, and information systems controls.
In financial data sharing, API design should address:
Authentication
Authorization
Consent verification
Scope of access
Data minimization
Rate limits
Logging
Encryption
Token management
Access revocation
Error handling
Auditability
Incident monitoring
Third-party provider validation
Poor API design can create serious legal risk. Unauthorized access to account data, excessive data sharing, weak token security, unclear consent, or lack of logging may lead to KVKK violations, bank secrecy issues, customer disputes, cybersecurity incidents, and regulatory sanctions.
A secure open finance model must be based on API governance, not informal data transfer.
6. Customer Consent, Instruction, and Control
Financial data sharing must be based on customer control. Customers should know what data is shared, with whom, for what purpose, for how long, and how they can revoke access.
A valid financial data sharing process should answer:
Which institution shares the data?
Which third party receives the data?
What categories of data are shared?
What is the purpose of sharing?
Is the sharing one-time or continuous?
How long does access continue?
Can the customer revoke access?
What happens after revocation?
Is the data used for profiling, scoring, or marketing?
Is the data transferred abroad?
Who handles complaints?
Consent and authorization screens should be clear. Users should not approve broad access to “all financial data” without understanding the consequences. Access should be purpose-limited and proportionate.
For example, a budgeting app may need transaction descriptions and balances, but it may not need full identity documents or unrelated loan files. A lending platform may need cash flow data for credit assessment, but it should not reuse that data for unrelated marketing without proper legal basis.
7. Bank Secrecy and Customer Secrets
Financial data sharing in Turkey is especially sensitive because bank customer information may qualify as customer secret or confidential banking information. This creates obligations beyond ordinary personal data protection.
The BRSA Regulation on the Disclosure of Confidential Information states that its purpose is to determine the scope, form, procedures, and principles for sharing and transferring bank secrets and client secrets. The regulation is based on Articles 73 and 93 of Banking Law No. 5411.
This means that a bank cannot freely share customer data with fintech companies, group companies, analytics providers, or foreign vendors merely because doing so is commercially useful. Even when customers give instructions or consent, the bank must ensure that sharing is lawful, limited, necessary, and consistent with banking confidentiality rules.
Bank secrecy issues are especially important in:
Open banking integrations
BaaS partnerships
Credit scoring arrangements
Data analytics projects
Cloud-based financial dashboards
Group company data transfers
Cross-border financial data sharing
Embedded finance platforms
Customer profiling tools
Fintech companies receiving bank-originated customer data should treat it as highly sensitive regulated information. They should not reuse it for unrelated analytics, marketing, model training, or resale unless the legal basis is clear and permitted.
8. KVKK and Financial Data Protection
The Turkish Personal Data Protection Law, known as KVKK, applies to financial data whenever the data relates to an identified or identifiable natural person. KVKK’s official English text states that the law’s purpose is to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing.
Financial data sharing under KVKK must comply with core principles:
Lawfulness and fairness
Accuracy and up-to-date processing
Specified, explicit, and legitimate purposes
Relevance, limitation, and proportionality
Retention only as long as necessary
Fintech companies and financial institutions must also determine whether they are acting as data controllers, joint controllers, independent controllers, or data processors. This classification affects responsibility for privacy notices, lawful basis, data subject requests, security measures, breach notifications, and vendor management.
KVKK compliance for open finance should include:
Privacy notices
Data processing inventory
Lawful basis analysis
Explicit consent where required
Data minimization
Retention and deletion policy
Cross-border transfer review
Vendor contracts
Data subject request workflow
Access controls
Breach response plan
Audit records
Financial data is not always legally classified as special category personal data, but it is practically sensitive. A financial transaction history can reveal deeply personal information. Therefore, open finance platforms should apply strong protection even where the legal category is ordinary personal data.
9. Cross-Border Transfers of Financial Data
Open finance often involves cloud services, foreign analytics tools, global API providers, international group companies, fraud detection vendors, and cross-border support teams. This may trigger KVKK Article 9.
Article 9 of KVKK was amended in 2024. The current text states that personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision regarding the destination country, sector, or international organization. If there is no adequacy decision, transfers may be possible through appropriate safeguards, provided data subjects can exercise their rights and access effective remedies.
The KVKK Authority also announced translations of the by-law and standard contract texts for cross-border personal data transfers following the 2024 amendment.
In financial data sharing, cross-border transfers should be reviewed carefully because the data may also be protected by bank secrecy, payment services rules, outsourcing restrictions, or sector-specific confidentiality rules. KVKK compliance alone may not be sufficient.
A fintech company should check:
Where data is stored
Where backups are located
Who can access data remotely
Whether foreign vendors receive financial data
Whether customer secret rules apply
Whether standard contracts or safeguards are needed
Whether onward transfers are controlled
Whether data is used for AI model training
Whether deletion after termination is possible
10. Open Finance and Credit Scoring
One of the most important uses of open finance is credit scoring. A lender may use bank account data, payment history, merchant turnover, invoice flows, wallet activity, and spending behavior to assess creditworthiness. This can help consumers and SMEs who lack traditional credit history.
However, open finance-based credit scoring creates serious legal risks.
Key issues include:
Was access to financial data validly authorized?
Was only necessary data collected?
Was the borrower informed about scoring?
Can the borrower correct inaccurate data?
Is the scoring model biased?
Is automated decision-making used?
Is data retained longer than necessary?
Is data reused for unrelated marketing?
Are third-party vendors involved?
A responsible lender should not collect all available financial data simply because it can. Credit scoring must be proportionate to the lending purpose. If the loan is small, accessing years of unrelated transaction history may be excessive.
Open finance can improve responsible lending, but it can also create excessive surveillance if not properly limited.
11. Open Finance and Personal Financial Management Apps
Personal financial management apps are a common open finance use case. They may help users view accounts, classify spending, create budgets, track subscriptions, monitor debt, calculate net worth, and receive financial recommendations.
These apps may process highly detailed transaction data. They may classify spending into categories such as healthcare, education, religion, travel, family, legal expenses, entertainment, or political donations. Even if the app does not intend to process sensitive categories, transaction descriptions can create sensitive inferences.
Personal finance apps should provide:
Clear privacy notices
Specific consent or authorization flows
Limited access duration
Easy revocation
Data deletion options
No hidden sale of transaction data
No excessive profiling
Strong security
Transparent recommendation logic
Complaint channels
If the app recommends loans, insurance, investment products, or crypto assets based on data analysis, additional sector-specific rules may apply.
12. Open Finance and Investment Services
Open finance may also affect investment platforms. A user may want to combine bank account data, brokerage account data, pension savings, fund holdings, crypto assets, and insurance products in one dashboard.
This creates regulatory questions. Investment advice, portfolio management, brokerage, robo-advisory, and capital markets services may require CMB authorization depending on the activity. A dashboard that merely displays user data may be different from a platform that recommends investment products, rebalances portfolios, or ranks funds based on user data.
Investment-related open finance should consider:
CMB licensing rules
Investor suitability analysis
Risk profiling
Investment advice restrictions
Portfolio management rules
Data accuracy
Conflict of interest
Customer consent
KVKK compliance
Cybersecurity
Complaint handling
A fintech company should avoid turning a financial dashboard into unlicensed investment advisory activity.
13. Open Finance and Insurance Data
Open finance may eventually include insurance data. Consumers may want to view all insurance policies, premiums, claims history, coverage limits, and renewal dates in one app. Businesses may want to share insurance data with lenders or risk analytics platforms.
Insurance data can be sensitive, especially health insurance, life insurance, accident claims, vehicle claims, and disability-related records. Health insurance data may involve special category personal data under KVKK.
Insurance-related open finance should address:
Policyholder consent
Health data rules
Insurer confidentiality
Claims data accuracy
Third-party access
Purpose limitation
Cross-border vendors
Retention periods
Consumer transparency
Use in pricing or underwriting
Open insurance may create innovation, but it must be built carefully because insurance data can reveal private life, health status, financial vulnerability, and risk profile.
14. Open Finance and Crypto Asset Data
Crypto asset platforms and wallets may also become part of open finance. Users may want to aggregate crypto portfolios, exchange balances, wallet addresses, transaction histories, DeFi positions, stablecoin holdings, and tax reports.
Turkey’s crypto asset framework has developed significantly with CMB regulation of crypto asset service providers. However, crypto open finance raises special issues because blockchain data may be public, wallet addresses may be pseudonymous, and transfers may be irreversible.
Crypto financial data sharing should consider:
CMB crypto asset service provider rules
Wallet address privacy
Blockchain analytics
Custody records
AML risk
Travel Rule compliance
User consent
Cross-border platform access
Tax reporting
Cybersecurity
Data breach risk
A wallet address can become personal data if linked to an identifiable person. Therefore, crypto open finance platforms should not assume that on-chain data is automatically outside KVKK.
15. Security and Authentication
Security is central to financial data sharing. If unauthorized persons access financial data, users may suffer identity theft, fraud, financial loss, reputational harm, or discrimination.
The BRSA’s banking information systems regulation sets minimum principles for managing information systems and electronic banking risks. Open banking and open finance systems should apply similar security discipline, even where a specific institution is not a bank.
Security controls should include:
Strong customer authentication
Consent verification
API security
OAuth-like access controls where appropriate
Token expiration
Encryption
Device binding
Rate limits
Anomaly detection
Audit logs
Access revocation
Incident monitoring
Penetration testing
Business continuity
Vendor security review
Data breach response
The user should be able to see and manage active data permissions. A financial data sharing system without easy revocation is weak from both a legal and trust perspective.
16. Data Minimization and Purpose Limitation
Data minimization is a key principle in open finance. A service provider should collect only the data needed for the specific service.
Examples:
A budgeting app may need transaction categories and balances, but not identity document copies.
A lender may need recent cash flow, but not unrelated years of personal spending history.
A merchant financing tool may need sales and settlement data, but not personal family transfers.
An insurance comparison app may need policy data, but not full bank account history.
Purpose limitation is equally important. Data collected for account aggregation should not automatically be used for credit marketing. Data collected for payment initiation should not automatically be used for behavioral profiling. Data collected for fraud monitoring should not automatically be sold to third parties.
Open finance depends on trust. Excessive data collection can damage that trust and create legal risk.
17. Liability in Financial Data Sharing
Financial data sharing creates multiple liability scenarios.
Possible claims include:
Unauthorized access to account data
Incorrect account information displayed
Payment initiated without valid authorization
Data shared beyond consent
Data retained after revocation
Data breach
Improper cross-border transfer
Incorrect credit decision due to faulty data
Misleading financial recommendation
API outage causing transaction failure
Consumer confusion about service provider identity
Bank secrecy violation
Unlawful profiling
Liability may fall on the bank, payment institution, third-party provider, interface provider, API aggregator, cloud vendor, or data controller depending on the facts. Contracts should allocate responsibilities, but regulatory and consumer-facing liability may not be fully shifted by contract.
A strong open finance structure should preserve evidence:
Consent records
API access logs
Data categories shared
Access duration
Revocation records
Authentication logs
Transaction records
Customer notices
Complaint records
Security incident logs
Vendor access logs
Without evidence, it may be difficult to prove that data access was lawful and limited.
18. Contractual Structure for Open Finance Partnerships
Open finance partnerships require detailed contracts. A simple API integration agreement is not enough where financial data, bank secrets, payment services, personal data, or customer-facing functions are involved.
Relevant contracts may include:
API access agreement
Data sharing agreement
Data processing agreement
Confidentiality agreement
Open banking service agreement
Payment initiation agreement
Account information service agreement
Bank-fintech cooperation agreement
Cloud service agreement
Cybersecurity addendum
Incident response protocol
Customer complaint protocol
Regulatory audit clause
Termination and data deletion agreement
Key clauses should cover:
Scope of data access
Customer authorization
Data categories
Purpose limitation
Access duration
Revocation
Data retention
Security standards
Audit rights
Regulatory cooperation
Breach notification
Subcontractors
Cross-border transfers
Liability
Termination
The contract must align with the user interface. If the customer screen says access is limited to account balance, the API should not transfer full transaction history unless separately authorized.
19. Practical Compliance Checklist for Financial Data Sharing in Turkey
A fintech company or financial institution planning a financial data sharing product should consider:
Classify the service: account information, payment initiation, personal finance dashboard, credit scoring, investment analytics, insurance data, crypto data, or broader open finance.
Check whether Law No. 6493 applies.
Determine whether CBRT authorization is required.
Review BRSA banking information systems and open banking rules where bank data is involved.
Review bank secrecy and customer secret restrictions.
Map personal data under KVKK.
Prepare clear customer authorization and consent flows.
Apply data minimization.
Define access duration and revocation.
Prepare privacy notices.
Review cross-border transfers under amended KVKK Article 9.
Review vendor and cloud providers.
Implement API security.
Preserve consent and access logs.
Prepare complaint handling procedures.
Review AML implications.
Review cybersecurity and incident response.
Avoid unlicensed investment, lending, insurance, or payment activity.
Draft data sharing and API contracts.
Monitor regulatory changes.
This checklist must be adapted to each model. A payment initiation service, account aggregation app, credit scoring tool, BaaS dashboard, investment aggregator, insurance data platform, and crypto portfolio tracker will not have identical obligations.
Why Legal Support Is Important
Financial data sharing in Turkey requires legal support because it combines payment services law, banking confidentiality, KVKK, cybersecurity, outsourcing, consumer protection, AML, sector-specific financial regulation, and contract law.
A fintech lawyer can assist with:
Open banking licensing analysis
Open finance product classification
CBRT payment data sharing compliance
BRSA open banking and API rules
Bank secrecy review
KVKK lawful basis analysis
Cross-border transfer review
Consent screen drafting
Data sharing agreements
API contracts
Cybersecurity clauses
Vendor due diligence
Credit scoring compliance
Investment or insurance data review
Customer dispute strategy
Regulatory correspondence
Legal review should begin before technical integration. Once financial data has already started flowing between institutions, correcting excessive access, missing consent, improper data transfers, or unclear responsibility may become difficult.
Conclusion
Financial data sharing in Turkey is moving from open banking toward open finance. The current legal framework is most developed for payment data sharing services, especially account information services and payment initiation services under Law No. 6493. The CBRT, BKM, and BRSA frameworks provide the core foundation for open banking and secure API-based data sharing.
However, open finance goes beyond payment accounts. It may include loans, insurance, investments, pensions, merchant data, crypto assets, wallets, and broader financial planning. Because Turkey does not yet have a single comprehensive open finance statute, these models must be structured through existing rules on payment services, banking secrecy, KVKK, cybersecurity, contracts, consumer protection, and sector-specific regulation.
The most important legal principles are customer control, purpose limitation, data minimization, security, transparency, and accountability. Customers should know what data is shared, with whom, why, for how long, and how access can be revoked. Financial institutions should protect bank secrets and customer secrets. Fintech companies should avoid excessive data collection and unauthorized financial activity. All parties should preserve audit-ready evidence.
Open finance can create major benefits for Turkish consumers, SMEs, fintech companies, banks, lenders, insurers, investors, and platforms. It can support better financial decisions, faster credit assessment, improved competition, and more personalized services. But these benefits can only be sustainable if financial data sharing is lawful, secure, transparent, and trusted.
In Turkey’s fintech market, data is becoming the new financial infrastructure. The companies that succeed will be those that treat financial data not merely as a commercial resource, but as a regulated asset requiring legal architecture, technical security, and customer trust.
Yanıt yok