Introduction
Open banking in Turkey is one of the most important legal and technological developments transforming the Turkish financial sector. Traditional banking was historically based on a closed model: banks collected and stored customer data, and customers accessed financial services mainly through the bank’s own branches, internet banking platforms, mobile applications and call centers. Open banking changes this model by allowing authorized third-party providers to access certain customer financial data or initiate payment transactions through secure digital channels, usually with customer approval and under regulatory supervision.
In practical terms, open banking allows customers to view accounts held at different banks through one platform, compare financial products, manage cash flow, initiate payments, automate recurring transactions, verify account ownership, use budgeting tools, integrate bank data into accounting systems and access personalized fintech services. For companies, open banking can improve treasury management, payment reconciliation, invoice processing, risk scoring, lending decisions and financial automation. For consumers, it may provide easier budgeting, account aggregation, payment convenience and improved access to financial products.
Turkey’s open banking framework is mainly built on Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the secondary regulations of the Central Bank of the Republic of Türkiye, banking information systems rules issued by the Banking Regulation and Supervision Agency, personal data protection rules and banking confidentiality principles. Law No. 6493 regulates payment and securities settlement systems, payment services, payment institutions and electronic money institutions, creating the legal foundation for payment-related open banking services in Turkey.
The Central Bank of the Republic of Türkiye launched open banking services in the payments area on 1 December 2022 through the Open Banking Gateway, known as GEÇİT, developed by the Interbank Card Center. In March 2026, the CBRT announced new open banking features, including expanded account information services, card information and transaction features, scheduled payment order initiation and recurring payment order initiation services.
This article explains open banking in Turkey, focusing on the legal framework, data sharing rules, customer consent, licensing, fintech opportunities, banking secrecy, KVKK compliance, cybersecurity and regulatory risks.
1. What Is Open Banking?
Open banking is a financial services model where customer banking data or payment account access can be shared with authorized third-party providers through secure technical interfaces, usually APIs. The purpose is to allow customers to use financial data and payment functionality beyond the bank’s own platform.
In the Turkish payment services context, open banking mainly involves two core services: account information services and payment initiation services. Account information services allow a licensed provider to present consolidated information relating to one or more payment accounts held by the customer at different payment service providers. Payment initiation services allow a provider, at the customer’s request, to initiate a payment order from the customer’s payment account held with another payment service provider.
This model is important because it shifts financial control toward the customer. Instead of each bank operating as a closed data silo, regulated data sharing enables new digital products and services. However, open banking also creates legal risks because it involves sensitive financial data, cybersecurity, customer authentication, banking secrecy, personal data protection and operational responsibility among multiple actors.
2. Legal Framework of Open Banking in Turkey
The main legal foundation for payment-related open banking in Turkey is Law No. 6493. The law’s objective is to regulate payment systems, securities settlement systems, payment services, payment institutions and electronic money institutions. It provides the statutory basis for payment service licensing and supervision by the Central Bank of the Republic of Türkiye.
The Turkish framework is not limited to Law No. 6493. Open banking also interacts with the following legal sources:
Banking Law No. 5411, especially where banks provide electronic banking services, share customer data or interact with third-party providers.
BRSA Regulation on Information Systems and Electronic Banking Services of Banks, which defines minimum procedures and principles for banks’ information systems, electronic banking services, risk management and information systems controls.
CBRT secondary regulations and guidelines on payment services, electronic money institutions and data sharing services in the payment services area.
Personal Data Protection Law No. 6698, known as KVKK, where customer data relates to identified or identifiable natural persons.
Banking confidentiality rules, especially Article 73 of Banking Law No. 5411 and the BRSA Regulation on the Disclosure of Confidential Information, where customer secrets are shared.
Therefore, open banking in Turkey is not merely a fintech business model. It is a regulated legal structure requiring licensing, technical certification, customer authorization, data minimization, security controls, audit trails and regulatory compliance.
3. CBRT’s Role in Open Banking
The Central Bank of the Republic of Türkiye is the primary regulator for payment services and electronic money institutions. In the open banking context, the CBRT supervises payment initiation services and account information services provided within the payment services framework.
The CBRT announced the launch of open banking services in the payments area on 1 December 2022. According to the CBRT’s press release, participating banks began providing services through the Open Banking Gateway infrastructure developed by the Interbank Card Center, allowing third parties to provide open banking transactions.
In 2026, the CBRT announced new features for open banking services. Version 2.0.0 of the Data Sharing Services in the Field of Payment, developed by BKM, expanded the scope of account information services and introduced comprehensive card information and transaction features. It also added scheduled payment order initiation and recurring payment order initiation services.
This development is significant because it shows that Turkey’s open banking framework is moving beyond basic account aggregation and payment initiation toward more advanced digital financial services. Scheduled and recurring payment initiation may be especially useful for subscription management, bill payment automation, rent payments, corporate treasury planning and personal finance applications.
4. Open Banking Gateway and BKM Infrastructure
The Interbank Card Center, known as BKM, plays an important technical infrastructure role in Turkey’s open banking ecosystem. The CBRT’s 2022 announcement referred to the Open Banking Gateway infrastructure developed by BKM.
BKM describes Data Sharing Services in the Field of Payment as services that include two essential services under the open banking framework: account information services and payment initiation services. BKM also explains that open banking involves making data in the financial system accessible to authorized third-party service providers through standard APIs in compliance with regulations.
Standardized infrastructure is important because open banking cannot function efficiently if every bank and fintech provider uses different technical formats, security methods and data standards. A common gateway and standard APIs reduce integration costs, support interoperability and improve user experience.
For fintech companies, BKM infrastructure means that technical certification and integration planning are key parts of legal compliance. A fintech business cannot focus only on the commercial product; it must also satisfy technical, operational and regulatory requirements.
5. Account Information Services
Account information services allow customers to view consolidated information about their payment accounts held at different payment service providers. For example, a customer may use one application to view balances and transactions from several banks. A company may use an open banking tool to consolidate account data for cash management and accounting.
The CBRT’s open banking guidance materials and related legal commentary explain that account information service providers require an operating license from the CBRT. Account information service generally involves collecting and presenting customer account data from account service providers through authorized and regulated access.
This service creates many business opportunities. Fintech companies may develop budgeting applications, personal finance management tools, SME cash-flow dashboards, accounting integrations, credit scoring platforms, affordability analysis tools and corporate treasury applications.
However, account information services involve sensitive data. A provider may access transaction history, account balances, counterparty details, spending patterns and income data. Therefore, customer authorization, data minimization, retention limits, cybersecurity and privacy policies are essential.
6. Payment Initiation Services
Payment initiation services allow a licensed provider to initiate a payment order from the customer’s payment account held with another payment service provider. The provider does not necessarily hold customer funds; it acts as an authorized initiator of the payment instruction.
This can create important fintech opportunities. A merchant may receive payments directly from the customer’s bank account without relying on card schemes. A consumer may initiate payments through a budgeting app. A business may automate supplier payments. A platform may allow account-to-account payments with lower friction.
The CBRT’s 2026 update is particularly important for payment initiation because it introduced scheduled payment order initiation and recurring payment order initiation features. These functions may support automated rent payments, subscription payments, invoice payments, loan installment payments and business recurring payment workflows.
From a legal perspective, payment initiation services require strong authentication, clear customer instruction, transparent fee disclosure, secure technical infrastructure and clear responsibility allocation among the payment initiation service provider, account servicing institution and customer.
7. Licensing Requirements for Open Banking Providers
Open banking services in Turkey are not freely offered by any technology company. Providers that offer regulated payment services, including account information services and payment initiation services, generally need authorization from the CBRT.
Legal commentary on the CBRT’s Data Sharing Services in Payment Services Guideline states that payment institutions providing account information services and payment initiation services must obtain operating licenses from the CBRT, and that institutions may apply for these two services separately or together.
This licensing requirement is fundamental. A company that merely develops software for banks may not always need a payment services license, depending on its role. But a company that directly provides account information services or payment initiation services to customers may fall within the regulated perimeter.
Therefore, every fintech business model should be analyzed carefully. The legal question is not what the company calls itself. The key question is what the company actually does: Does it access account data? Does it initiate payment orders? Does it contract with account service providers? Does it process customer payment data? Does it provide services directly to customers? Does it hold funds or only transmit instructions?
8. Banks and Open Banking Services
Banks are central actors in open banking. They hold customer accounts and financial data. They must provide secure electronic banking services and, where required by the regulatory framework, enable access through open banking infrastructure to authorized third-party providers.
The BRSA’s Regulation on Information Systems and Electronic Banking Services sets minimum rules for banks’ information systems and electronic banking services. The regulation’s purpose is to establish procedures and principles for management of information systems used by banks and the risks related to electronic banking services.
This matters because open banking access is part of the broader electronic banking environment. Banks must manage cyber risk, authentication, API security, service continuity, audit logs, customer complaints and third-party risk. If an unauthorized transaction or data leak occurs through an open banking channel, the legal analysis will likely examine whether the bank and the third-party provider each fulfilled their security and operational duties.
9. Customer Consent, Request and Authorization
Open banking is based on customer control. A customer should not lose control over financial data simply because a bank or fintech company wants to create a new product. Access to account information or payment initiation must be based on lawful customer authorization and regulatory requirements.
However, Turkish law requires careful distinction between personal data consent, banking secrecy requirements and payment services authorization. Under Turkish banking secrecy rules, customer secret information may be subject to stricter rules than ordinary personal data. Banking Law No. 5411 and related BRSA rules may require customer request or instruction for sharing customer secrets unless a statutory exception applies.
Therefore, an open banking provider must design customer journeys carefully. The customer should know what data will be accessed, for what purpose, for how long, by whom, and how authorization may be withdrawn. Broad, unclear or bundled consent forms create legal risk.
A legally sound consent and authorization structure should be specific, informed, revocable, recorded and compatible with both payment services regulation and data protection law.
10. Personal Data Protection and KVKK Compliance
Open banking involves significant personal data processing. Account balances, transaction histories, names, IBANs, spending patterns, merchant data, income streams and financial habits may all qualify as personal data when relating to an identified or identifiable natural person.
Therefore, open banking providers must comply with KVKK. This includes lawful processing, privacy notices, data minimization, purpose limitation, data security, retention policies, data subject rights and cross-border transfer rules.
KVKK compliance is not only a formality. Open banking data may reveal sensitive aspects of a person’s life, such as salary, rent, medical payments, subscriptions, political donations, religious spending, travel patterns or debt status. Even if the data is not technically classified as special category personal data, it may still be highly intrusive.
Fintech companies should therefore apply privacy-by-design. They should collect only the data necessary for the service, avoid excessive retention, use encryption, restrict employee access, maintain audit logs and allow users to revoke permissions easily.
11. Banking Confidentiality and Customer Secrets
Open banking also involves banking confidentiality. A customer’s financial data held by a bank may constitute a customer secret under Turkish banking law. This means that sharing such data is subject not only to KVKK but also to banking secrecy rules.
This is especially important for corporate customers. Company account information may not always qualify as personal data, but it may still be a bank customer secret. For example, a company’s cash flow, loan repayments, supplier payments, tax payments, salary payments and account balances may be commercially confidential.
Therefore, open banking providers serving SMEs and corporate customers must consider banking secrecy even when KVKK does not apply directly. Legal documents should address confidentiality, permitted data use, onward transfer restrictions, audit rights and deletion obligations.
12. Cybersecurity and Strong Customer Authentication
Open banking creates new cybersecurity risks. If APIs, authentication flows or third-party applications are weak, fraudsters may exploit them to access data or initiate unauthorized payments.
Security controls should include strong customer authentication, secure API standards, encryption, transaction monitoring, fraud detection, device risk analysis, session management, access tokens, audit logs, incident response and penetration testing.
The BRSA electronic banking regulation is relevant because it imposes minimum principles for banks’ information systems and electronic banking services. Payment institutions and electronic money institutions must also comply with CBRT-related information systems and data sharing requirements.
A fintech provider should not treat cybersecurity as a purely technical issue. In a dispute, security failures may lead to civil liability, regulatory sanctions, customer claims, data protection investigations and reputational damage.
13. Liability for Unauthorized Transactions
Open banking may create disputes where a payment is initiated without proper authorization, a customer claims that access was not valid, data was misused or a third-party provider failed to protect credentials.
Possible responsible parties may include the bank, payment initiation service provider, account information service provider, payment institution, electronic money institution, merchant, software provider or customer, depending on the facts.
A proper liability analysis should ask:
Was the provider licensed?
Was customer authorization valid?
Was strong authentication used?
Was the payment instruction properly recorded?
Was the transaction abnormal or suspicious?
Did the provider preserve logs?
Did the bank execute a valid instruction?
Did the customer revoke authorization before the transaction?
Was data used beyond the permitted purpose?
Open banking agreements should allocate responsibility clearly, but contractual terms cannot override mandatory consumer protection, banking, payment services or data protection rules.
14. Data Retention and Deletion
Open banking providers should define how long account data and payment information will be stored. Retaining more data than necessary creates legal risk. Deleting data too early may create audit and dispute resolution problems.
Legal commentary on the CBRT’s open banking guideline states that if the customer’s consent period expires or the customer revokes consent, account information may continue to be stored only with the customer’s consent; if the relationship ends, data other than audit trails required by regulation should be deleted.
This illustrates the need for a balanced retention policy. Providers must keep legally required audit trails, but they should not indefinitely store customer financial data for analytics, marketing or future product development without a lawful basis.
15. Open Banking and Fintech Opportunities
Open banking offers significant opportunities for Turkey’s fintech ecosystem. The most obvious opportunities include:
Account aggregation applications, personal finance management tools, SME cash flow dashboards, automated accounting integrations, payment initiation services, recurring payment management, instant bank account verification, credit scoring based on cash-flow data, affordability analysis, merchant payment solutions, subscription payment management, automated tax and invoice reconciliation, embedded finance and financial planning tools.
For SMEs, open banking can reduce administrative burden. A company can automatically reconcile bank transactions with invoices, monitor multiple bank accounts, detect cash-flow shortages and improve access to finance by sharing reliable transaction data with lenders.
For consumers, open banking can improve financial awareness. Users can see all accounts in one place, track spending, manage recurring payments, compare products and receive personalized financial recommendations.
For banks, open banking can support partnerships with fintech companies, embedded finance products, API-based services and better customer retention through integrated digital ecosystems.
16. Open Banking and Credit Scoring
One of the most promising areas is alternative credit scoring. Traditional credit scoring relies heavily on credit history, declared income, collateral and bank records. Open banking may allow lenders to assess real cash-flow patterns, income regularity, spending behavior and debt capacity.
This can help SMEs and freelancers who may not have strong collateral but have stable transaction flows. It can also help lenders assess risk more accurately.
However, credit scoring based on open banking data must comply with data protection, transparency and fairness principles. Customers should know how their data is used. Automated decision-making should be explainable. Discriminatory or opaque scoring models may create legal and reputational risks.
17. Open Banking for Corporate Treasury
Corporate treasury is another major opportunity. Businesses often maintain accounts at several banks. Manual account monitoring and payment reconciliation can be inefficient. Open banking can enable real-time account visibility, automated payment initiation, cash pooling analysis and better liquidity management.
For companies with high transaction volumes, open banking integrations can reduce human error and improve internal control. They can also support automated supplier payments, payroll preparation and invoice reconciliation.
However, corporate open banking products require strong authorization controls. A company must define who can view accounts, who can initiate payments, who can approve transactions and how access is revoked when employees leave.
18. Open Banking and Embedded Finance
Open banking supports embedded finance by allowing financial services to be integrated into non-bank platforms. E-commerce platforms, accounting software, ERP systems, marketplaces and mobility platforms may use open banking infrastructure to provide payments, financing, cash-flow analysis or account verification.
For example, an accounting software provider may integrate account information services to automatically reconcile bank movements. A marketplace may use payment initiation services to reduce payment friction. A lender may use account data to assess merchant creditworthiness.
The legal risk is that non-bank platforms may cross into regulated payment services without realizing it. A technology provider should analyze whether it merely provides software infrastructure or directly provides regulated account information or payment initiation services. If the latter, CBRT authorization may be required.
19. Competition and Market Impact
Open banking can increase competition in financial services. Banks no longer control every customer interaction. Fintech companies can build new services on top of regulated access to customer accounts. Consumers can compare services more easily. SMEs can share data with alternative lenders.
However, competition depends on fair access, technical interoperability and regulatory clarity. If API access is unreliable, overly restrictive or inconsistent across institutions, open banking may not reach its full potential. If fintech providers are not properly supervised, customer trust may be damaged.
Turkey’s use of BKM infrastructure and CBRT-supervised open banking services may help create more standardized market conditions. The 2026 expansion of open banking features suggests that the ecosystem is moving toward broader functionality.
20. Cross-Border Open Banking Issues
Cross-border open banking raises additional legal issues. A Turkish fintech company may want to serve customers with accounts abroad, or a foreign fintech company may want to serve Turkish users. These models may involve foreign licensing, cross-border data transfer, outsourcing, foreign cloud providers, international payment rules and banking secrecy restrictions.
A foreign provider should not assume that it can access Turkish banking data without local compliance. If the service involves Turkish payment accounts, Turkish customers, Turkish banks or payment initiation in Turkey, CBRT and BRSA rules may become relevant.
Similarly, Turkish providers using foreign technology vendors should review KVKK cross-border transfer rules, banking confidentiality, outsourcing restrictions and cybersecurity obligations.
21. Contractual Documentation for Open Banking
Open banking requires strong contractual documentation. Key documents may include:
Customer terms of service, privacy notice, explicit consent or authorization text, data sharing terms, API access agreements, bank-fintech cooperation agreements, outsourcing agreements, service level agreements, incident response protocols, data processing agreements, cybersecurity policies, complaint procedures and merchant agreements.
Customer-facing documents should be clear and understandable. They should explain what the service does, what data is accessed, whether payments can be initiated, what fees apply, how authorization is given, how authorization can be revoked, how complaints are handled and who is responsible for unauthorized transactions.
Business-to-business agreements should allocate technical responsibilities, uptime, security standards, audit rights, liability, data breach notification, regulatory cooperation, termination and transition obligations.
22. Regulatory Risks for Fintech Companies
Fintech companies entering open banking in Turkey face several regulatory risks.
The first risk is operating without the required CBRT license. A company may believe it is merely a technology platform, but if it provides account information or payment initiation services, it may need authorization.
The second risk is data misuse. Open banking data collected for one purpose should not be used for unrelated marketing, profiling or credit scoring without lawful basis.
The third risk is cybersecurity failure. A data leak or unauthorized payment may lead to regulatory investigation, customer claims and loss of market trust.
The fourth risk is inadequate customer authorization. If the customer did not clearly authorize access or payment initiation, the provider may face liability.
The fifth risk is poor recordkeeping. Open banking disputes depend heavily on logs, timestamps, authentication records and consent records. Without evidence, defense becomes difficult.
23. Regulatory Risks for Banks
Banks also face risks. They must provide secure access where required, protect customer data, monitor API risks, verify authorized providers, manage electronic banking security and handle customer complaints properly.
A bank may face liability if it refuses lawful access without justification, shares data excessively, fails to secure API channels, ignores suspicious open banking transactions, or fails to preserve records.
Banks must also manage third-party risk. Open banking transforms banks into participants in a wider ecosystem. Even where a third-party provider interacts with the customer, the bank’s role as account servicing institution remains legally important.
24. Consumer Protection in Open Banking
Consumers must understand what they are authorizing. A consumer may not distinguish between a bank, licensed payment institution, fintech app and unregulated platform. Therefore, transparency is essential.
Consumer protection issues include:
Clear disclosure of provider identity, licensing status, data access scope, payment initiation authority, fees, withdrawal of consent, complaint routes, liability for unauthorized transactions and data deletion.
Open banking should not be designed through dark patterns or confusing consent screens. If users are pushed into sharing broad data without understanding consequences, legal disputes may arise.
25. Evidence in Open Banking Disputes
Evidence is crucial. In a dispute, the parties may need to prove:
Customer authorization, scope of consent, authentication method, API request logs, account data accessed, payment instruction details, timestamps, IP addresses, device information, service provider identity, revocation date, transaction status, error messages, customer complaint history and technical incident reports.
Providers should maintain audit trails. Banks should preserve access logs. Customers should keep screenshots, e-mails, notifications and transaction confirmations.
Because open banking disputes are technical, expert examination may be required in litigation.
26. Practical Compliance Checklist for Open Banking Providers
An open banking provider in Turkey should follow this checklist:
Determine whether the service requires CBRT authorization.
Identify whether the service is account information, payment initiation or both.
Complete licensing and technical certification requirements.
Design clear customer authorization flows.
Prepare KVKK-compliant privacy notices.
Apply banking secrecy analysis where customer secrets are involved.
Use secure APIs and strong authentication.
Maintain audit logs and evidence records.
Implement data minimization and retention policies.
Allow easy revocation of authorization.
Prepare incident response and complaint procedures.
Review outsourcing and cloud arrangements.
Avoid using data for unrelated purposes.
Monitor regulatory updates continuously.
27. Practical Checklist for Banks
Banks participating in open banking should:
Secure API infrastructure.
Verify access by authorized providers.
Apply strong customer authentication.
Maintain transaction and access logs.
Limit data sharing to authorized scope.
Protect customer secrets.
Coordinate with CBRT and BRSA requirements.
Prepare customer complaint procedures.
Monitor suspicious transactions.
Test system resilience.
Review fintech partnership agreements.
Train internal teams on open banking obligations.
28. Practical Checklist for Customers
Customers using open banking services should:
Check whether the provider is authorized.
Read what data will be accessed.
Avoid granting unnecessary permissions.
Review how long access will continue.
Use secure devices and passwords.
Monitor account activity.
Revoke access when the service is no longer needed.
Keep transaction confirmations.
Report suspicious activity immediately.
Avoid sharing banking credentials with unverified applications.
29. Why Legal Support Is Important
Open banking in Turkey requires specialized legal analysis because it combines payment services regulation, banking law, fintech licensing, data protection, banking secrecy, cybersecurity, consumer protection and contract law.
A Turkish fintech lawyer may assist with CBRT licensing, business model assessment, account information service analysis, payment initiation service analysis, customer consent flows, privacy documents, data sharing agreements, API contracts, bank-fintech partnerships, outsourcing review, cybersecurity compliance, complaint procedures and regulatory correspondence.
Legal support is especially important before launching the product. Once a fintech platform begins operating without proper licensing or data compliance, legal risk becomes much harder to control.
Conclusion
Open banking in Turkey is transforming the relationship between customers, banks and fintech companies. By allowing authorized access to account information and payment initiation services, open banking creates opportunities for personal finance management, SME cash-flow tools, payment automation, credit scoring, embedded finance and digital banking innovation.
Turkey’s legal framework is based primarily on Law No. 6493, CBRT supervision, BKM’s open banking infrastructure, BRSA electronic banking rules, banking secrecy and KVKK. The CBRT launched open banking services in the payments area in 2022 and expanded functionality in 2026 with new features such as card information, scheduled payment initiation and recurring payment initiation.
However, open banking also creates serious compliance obligations. Providers must obtain required licenses, secure customer authorization, protect personal data, respect banking confidentiality, maintain cybersecurity, preserve audit logs and manage liability for unauthorized transactions.
For fintech companies, open banking offers major business opportunities but requires careful regulatory planning. For banks, it creates both competitive pressure and partnership potential. For customers, it offers more control over financial data but also requires awareness of data sharing risks.
In Turkish finance law, open banking is not simply a technology trend. It is a regulated data-sharing and payment services ecosystem. Its success depends on trust, security, legal compliance and customer transparency. A legally sound open banking model must combine innovation with regulatory discipline, because in financial technology, sustainable growth is possible only when customer data, payment authority and legal responsibility are handled with precision.
Yanıt yok