Introduction
Digital banking law in Turkey has become one of the most important legal areas within the fintech and banking sectors. As customers increasingly prefer mobile applications, online onboarding, instant financial services, embedded finance solutions, and branchless banking models, Turkish banking regulation has adapted to allow banks to operate without traditional physical branches. This transformation is not merely technological; it is also legal, regulatory, operational, and contractual.
In Turkey, digital banking is mainly regulated by the Regulation on the Operating Principles of Digital Banks and Banking as a Service Model, published in the Official Gazette dated 29 December 2021. The regulation determines the procedures and principles applicable to branchless banks that provide services through electronic banking channels and to Banking-as-a-Service models offered to fintech companies and other businesses.
A digital bank in Turkey is not simply a mobile application or an online interface of a traditional bank. Under the regulation, a digital bank is a credit institution that provides banking services through electronic banking services distribution channels instead of physical branches. This means that digital banks remain banks and are subject to banking law, licensing, prudential supervision, corporate governance, capital adequacy, risk management, information systems, consumer protection, anti-money laundering, personal data protection, and cybersecurity obligations.
This article explains how digital banks are regulated in Turkey, what legal requirements apply to branchless banking, how digital bank licensing works, how Banking-as-a-Service is structured, and what legal risks fintech companies, investors, banks, and foreign financial institutions should consider before entering the Turkish digital banking market.
1. What Is a Digital Bank in Turkey?
A digital bank is a licensed bank that provides banking services mainly through electronic channels rather than physical branches. These channels may include mobile banking, internet banking, API-based services, digital onboarding tools, call centers, remote customer identification systems, and other electronic banking distribution channels.
The legal definition is important because a digital bank is not merely a fintech company. A fintech company may provide technology, software, payment interfaces, or customer-facing platforms, but unless it has obtained a banking license, it cannot present itself as a bank or perform banking activities reserved for banks.
In Turkey, digital banks are regulated as credit institutions. Depending on their license type, they may operate as deposit banks or participation banks. The digital nature of the business model does not remove the institution from the banking regulatory framework. On the contrary, because services are delivered remotely and without traditional branch infrastructure, digital banks must comply with strict rules on information systems, operational resilience, customer authentication, complaint management, data security, and business continuity.
The key legal distinction is this: a traditional bank may offer digital banking channels, but a digital bank is designed as a branchless institution from the beginning. Traditional banks can provide mobile and internet banking without being classified as digital banks under the specific digital banking regulation. However, a new institution applying for a branchless banking model must comply with the digital banking framework.
2. Main Legal Framework for Digital Banking in Turkey
Digital banking in Turkey is primarily based on the following legal sources:
Banking Law No. 5411
Regulation on the Operating Principles of Digital Banks and Banking as a Service Model
Regulation on Information Systems and Electronic Banking Services of Banks
Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment
Regulation on Procurement of Support Services by Banks
Law No. 5549 on Prevention of Laundering Proceeds of Crime
Law No. 6698 on the Protection of Personal Data
Consumer protection legislation
BRSA decisions, guidance, and secondary legislation
The digital banking regulation was issued on the basis of several provisions of Banking Law No. 5411, including provisions concerning permitted banking activities, establishment, operation, supervision, and regulatory powers of the Banking Regulation and Supervision Agency, known as the BRSA or BDDK.
Banking Law No. 5411 remains the core statute for banks in Turkey. It sets out establishment conditions, operating permission requirements, corporate governance standards, capital requirements, supervision rules, administrative sanctions, and restrictions applicable to banking activities. For example, a bank established in Turkey must be incorporated as a joint stock company, its shares must be issued against cash and in registered form, its founders must meet legal requirements, and its organizational structure must allow effective supervision.
Therefore, digital banking law should not be read as a separate fintech license outside banking law. It is a special regulatory model within the Turkish banking system.
3. Licensing of Digital Banks
A digital bank must obtain the necessary permissions from the BRSA before commencing operations. The licensing process is demanding because a digital bank is a fully regulated credit institution. The regulator evaluates not only the commercial model but also the institution’s shareholders, capital, governance structure, risk management capacity, information systems, internal controls, operational resilience, management qualifications, and compliance systems.
The digital banking regulation provides that the minimum paid-up capital required for digital banks to obtain an operating permission is TRY 1 billion, paid in cash and free from fictitious transactions. The BRSA Board is authorized to increase this amount.
This capital requirement shows that digital banking is not regulated like an ordinary fintech startup. A digital bank must be financially strong enough to operate as a bank, manage risks, protect customers, maintain secure systems, and meet supervisory expectations. Investors should therefore treat a digital bank project as a regulated banking venture, not only as a software or mobile application business.
A digital bank licensing strategy should address:
The proposed banking activities
Deposit or participation banking model
Target customer segment
Digital onboarding process
Credit policy
Risk management framework
Internal audit and internal control systems
Information systems architecture
Cybersecurity and business continuity
Outsourcing and vendor arrangements
AML and KYC procedures
Data protection compliance
Consumer complaint mechanisms
Capital planning
Corporate governance
Shareholder transparency
Regulatory reporting capacity
The licensing process should be prepared with legal, financial, technical, compliance, and banking professionals working together. In digital banking, the legal structure and the technical architecture must be aligned from the beginning.
4. Branchless Banking Model and Physical Branch Restrictions
The central feature of a digital bank is the absence of traditional physical branches. The digital banking regulation aims to create a banking model where services are delivered through electronic banking channels rather than branch networks. This allows lower operating costs, wider digital access, faster onboarding, and product innovation.
However, branchless banking does not mean that the bank has no physical presence at all. A digital bank may still need a headquarters, operational units, support functions, complaint handling capacity, audit infrastructure, and regulatory contact points. The legal issue is that the bank should not operate like a traditional branch-based bank unless permitted.
The branchless model affects customer acquisition, identity verification, contract execution, complaint management, recordkeeping, internal audit, outsourcing, and supervision. Since the customer does not physically visit a branch, the bank must rely on secure remote identification, strong authentication, digital contract execution, reliable communication channels, and robust transaction monitoring.
This is why digital banking regulation is closely connected to rules on remote identification and electronic banking services. The legal sustainability of a digital bank depends heavily on whether its digital channels can perform the functions that branches traditionally performed.
5. Remote Customer Onboarding and Electronic Contracts
Remote onboarding is one of the most important legal components of digital banking. A branchless bank cannot function effectively unless it can identify customers and establish banking contracts remotely.
The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment sets out procedures for remote identification methods that banks may use when acquiring new customers and for establishing contractual relationships through information technology or electronic communication devices in a manner substituting written form. It also states that remote identification applies without prejudice to obligations under Law No. 5549 on Prevention of Laundering Proceeds of Crime and Law No. 6698 on the Protection of Personal Data.
For digital banks, remote onboarding generally requires:
Verification of the customer’s identity
Use of secure video call or approved digital identification methods
Authentication controls
Recording of customer declaration of intent
Presentation of contract terms through electronic channels
Secure approval of contract content
Protection of personal data
AML and KYC compliance
Fraud prevention controls
Retention of onboarding records
Remote onboarding is not merely a user experience issue. It is a legal validity issue. If the customer is not properly identified, if the declaration of intent is not securely obtained, or if the digital contract process does not comply with regulatory requirements, the bank may face customer disputes, AML risk, fraud exposure, and regulatory sanctions.
6. Customer Scope and Activity Restrictions
Digital banks in Turkey are subject to specific activity restrictions unless the BRSA removes them under the conditions provided by the regulation. One of the most important restrictions is that the credit customers of digital banks can only consist of financial consumers and SMEs.
This limitation reflects the regulatory policy behind digital banking. Digital banks are intended to expand access to banking services for retail customers and small and medium-sized enterprises, rather than immediately operating across all large-scale corporate banking segments.
However, the regulation also provides a mechanism for removing restrictions. If a digital bank increases its minimum paid-up capital to TRY 2.5 billion, the BRSA Board may, upon application, decide to remove the operating restrictions completely or gradually within a transition plan, provided that the bank is considered capable of managing the risks of the broader activity scope. After full removal of the restrictions, the digital bank may carry out all banking activities that other credit institutions can perform within the applicable legislation.
This creates a two-stage strategic model. A digital bank may initially focus on retail and SME banking, then later apply for broader authorization if it reaches higher capital strength and demonstrates sufficient risk management capacity.
7. Digital Banks as Deposit Banks or Participation Banks
A digital bank may be structured as a deposit bank or participation bank, depending on its license and business model. If it is a deposit bank, it may provide conventional banking products within the limits of its authorization. If it is a participation bank, it must operate according to participation finance principles.
The legal classification matters because the bank’s products, contracts, disclosures, accounting, funding structure, and risk management framework will differ depending on whether it is a deposit bank or participation bank.
For example, a digital participation bank must ensure that its products, profit-sharing structures, financing contracts, and customer disclosures comply with participation banking rules. A digital deposit bank must comply with conventional deposit banking rules, including deposit protection, interest-related disclosures, credit risk management, and customer contract requirements.
In both models, the institution remains subject to BRSA supervision and Banking Law No. 5411.
8. Banking-as-a-Service in Turkey
The digital banking regulation also regulates Banking-as-a-Service, commonly known as BaaS. BaaS allows a licensed bank, referred to as a service bank, to provide banking services to customers through the interface of another company, often a fintech company or digital platform.
This model is particularly important for embedded finance. A non-bank platform may want to offer banking-like services to its users without obtaining a full banking license. In such cases, a licensed service bank may provide the actual banking service, while the interface provider offers the customer-facing digital channel.
However, BaaS is heavily regulated. The regulation requires a contractual relationship between the customer and the service bank. If that relationship is established electronically, the process must comply with remote identification rules, and customer identification must be performed by the service bank.
The regulation also provides that the service bank and the interface provider are jointly responsible for ensuring that the mobile application or browser-based interface used by the customer complies with authentication and transaction security obligations applicable to electronic banking services. A service bank cannot provide BaaS services through interface providers whose systems fail to meet these obligations.
Therefore, BaaS is not an unregulated shortcut for fintech companies. It is a regulated cooperation model where the licensed bank remains central, and the interface provider must meet strict technical, contractual, and security requirements.
9. Legal Status of Interface Providers
An interface provider is a company that provides the digital interface through which customers access services offered by a service bank. The interface provider may be a fintech company, e-commerce platform, technology company, marketplace, or other business seeking to integrate banking services into its digital ecosystem.
Under the digital banking regulation, the interface provider may qualify as an outsourcing institution providing services to the service bank. The provision of such outsourcing services as an interface provider is subject to permission of the BRSA Board. The regulation also states that the interface provider must not accept deposits or participation funds on behalf of the service bank, except within specific structures where the interface provider is also a payment service provider and the applicable rules are satisfied.
This distinction is crucial. The interface provider must not create the impression that it is itself a licensed bank unless it holds the relevant license. The contract between the interface provider and the customer must clearly state that the interface provider is not a bank with operating permission, or not a payment service provider or other licensed financial institution if it lacks such authorization.
For fintech companies, this means that branding, advertising, user agreements, onboarding screens, customer support scripts, and website disclosures must be carefully drafted. Misleading customers about who provides the banking service may create regulatory, contractual, and consumer law risks.
10. Contractual Requirements in BaaS Models
Banking-as-a-Service models require detailed contracts between the service bank, interface provider, and customer. These contracts must allocate responsibilities clearly and must comply with mandatory regulatory requirements.
The digital banking regulation requires the service contract between the service bank and interface provider to include several matters, including clear disclosure that banking services are provided by the service bank, the service bank’s website address, services offered by the bank, responsibilities of the service bank, customer service contact information, complaint channels, standard agreements, use of the service bank’s logo and name, and rules on confidential data.
A well-drafted BaaS contract should address:
Scope of banking services
Role of the service bank
Role of the interface provider
Customer onboarding process
Remote identification responsibilities
Customer contract formation
Data sharing rules
Customer secret and banking secrecy obligations
Authentication and transaction security
Complaint handling
Audit rights
Regulatory reporting
Termination rights
Cybersecurity incidents
Cloud and outsourcing restrictions
Service levels
Liability and indemnity
Use of branding and logos
Fees and revenue sharing
Consumer disclosures
Business continuity obligations
A BaaS contract is not an ordinary commercial cooperation agreement. It is a regulatory document that must be aligned with banking law, data protection law, consumer law, outsourcing rules, and information systems requirements.
11. Information Systems and Cybersecurity
Digital banks depend entirely on secure technology infrastructure. Therefore, information systems and cybersecurity are central legal obligations. The Regulation on Information Systems and Electronic Banking Services of Banks sets out minimum procedures and principles for the management of information systems used by banks, electronic banking services, risk management, and information systems controls.
For digital banks, cybersecurity is not only a technical matter; it is a regulatory condition for safe banking operations. Since all customer interactions occur through digital channels, the bank must maintain strong authentication, encryption, access controls, fraud detection, secure software development, incident response, audit logging, business continuity, and disaster recovery systems.
Legal risks may arise from:
Unauthorized access
Credential theft
Identity fraud
API vulnerabilities
Mobile application security failures
Cloud service weaknesses
Phishing attacks
Data breaches
System outages
Payment or transfer errors
Failure to maintain transaction logs
Insufficient authentication
Weak outsourcing controls
The bank must also ensure that vendors, cloud providers, software developers, KYC providers, call centers, and other third parties comply with regulatory requirements. Outsourcing cannot be used to escape regulatory responsibility.
12. Data Protection, Banking Secrecy, and Customer Confidentiality
Digital banks process extensive volumes of customer data, including identity information, financial records, transaction data, behavioral data, device information, credit data, biometric data used for remote identification, IP addresses, and communication records.
In Turkey, personal data protection is regulated by Law No. 6698 on the Protection of Personal Data. The law aims to protect fundamental rights and freedoms, particularly privacy, in relation to the processing of personal data, and sets binding obligations and procedures for natural and legal persons processing personal data.
Digital banks must also comply with banking secrecy and customer confidentiality rules. In BaaS models, the regulation imposes specific requirements for confidential data transferred to the interface provider. It provides that such data should be processed only where necessary and only to the extent and period required; it also requires system and data backups to be kept domestically in Turkey where confidential data are processed by the interface provider or its service providers.
A digital bank should maintain:
Privacy notices
Data processing inventory
Legal basis assessments
Explicit consent mechanisms where necessary
Data retention policies
Access control procedures
Cross-border transfer assessments
Data processing agreements
Banking secrecy protocols
Incident response procedures
Customer rights mechanisms
Internal data governance
Vendor data protection controls
Data protection must be built into the product architecture. A digital bank that collects excessive data, shares customer data without legal basis, fails to secure confidential information, or uses data for unrelated purposes may face regulatory sanctions and customer claims.
13. AML and KYC Obligations
Digital banks are subject to anti-money laundering and counter-terrorist financing rules. Remote onboarding creates convenience but also risk. Fraudsters may attempt to use fake identities, synthetic identities, stolen credentials, mule accounts, rapid transfers, or complex transaction structures.
Law No. 5549 on Prevention of Laundering Proceeds of Crime requires obliged parties to comply with AML obligations, including reporting certain transactions and suspicious activity where applicable. MASAK is the relevant authority for AML supervision and enforcement in Turkey.
Digital banks must establish risk-based AML and KYC systems, including:
Customer identification
Remote identity verification
Beneficial ownership checks
Sanctions screening
Politically exposed person screening
Transaction monitoring
Suspicious transaction reporting
Record retention
Enhanced due diligence
Fraud detection
Internal compliance policies
Employee training
Audit and control functions
The digital nature of the bank does not reduce AML obligations. In many cases, it increases the need for automated monitoring and advanced fraud controls because transactions occur quickly and remotely.
14. Consumer Protection and Complaint Management
Digital banking must be transparent and customer-friendly. Customers should clearly understand which institution provides the banking service, what fees apply, how accounts are opened and closed, how complaints are submitted, how unauthorized transactions are handled, and what risks exist.
Consumer protection issues may arise in:
Account opening
Loan applications
Interest and fee disclosures
Digital contract terms
Unauthorized transactions
Fraud complaints
Card issuance
Credit scoring
Account freezes
Service outages
Mistaken transfers
Data privacy complaints
BaaS interface confusion
Misleading advertising
Unfair contract terms
In BaaS models, the regulation requires customer-facing disclosures about the service bank, the services offered, the responsibilities of the service bank, and the channels through which customers can submit requests and complaints.
A digital bank should design its user interface and legal documents together. A technically smooth application is not sufficient if the legal disclosures are hidden, unclear, misleading, or inconsistent with mandatory banking rules.
15. Credit Risk and Digital Lending
Digital banks often rely on automated credit scoring, alternative data, fast loan approval tools, and mobile-based credit applications. These tools can improve access to finance, especially for consumers and SMEs. However, they also create legal risks.
The digital banking regulation recognizes that digital banks may use income estimation models based on objective criteria, provided that the documents and declarations obtained for solvency assessment are considered and records forming the basis of income determination are ready for audit. The regulation also requires the models to produce reasonable and consistent results according to the relevant documents and records.
This is highly important for digital lending. A digital bank should be able to explain and document how it evaluates the customer’s solvency. If an automated system grants inappropriate loans, discriminates against certain customer groups, fails to consider repayment capacity, or cannot be audited, the bank may face regulatory and civil liability.
Digital lending compliance should include:
Transparent credit policies
Objective scoring criteria
Auditability of models
Human oversight where required
Data minimization
Consumer credit disclosures
Responsible lending principles
Complaint procedures
Records of credit decisions
Monitoring of model performance
Bias and discrimination risk review
Cybersecurity controls around credit data
Artificial intelligence and automated decision-making may create additional legal questions under data protection, consumer law, and banking supervision principles.
16. Legal Risks for Digital Banks and Fintech Partners
Digital banking creates many commercial opportunities, but it also brings serious legal risks. These risks may affect digital banks, service banks, fintech interface providers, investors, vendors, and customers.
Common legal risks include:
Operating without the required license
Misleading customers about licensed status
Weak remote identification controls
Failure to comply with AML obligations
Insufficient customer authentication
Data breaches
Violation of banking secrecy
Unauthorized sharing of customer data
Outsourcing without required permission
Inadequate BaaS contracts
Failure to disclose the service bank
Improper use of bank logos or branding
Consumer complaints regarding fees or loans
Fraudulent account opening
System outages
API failures
Lack of audit logs
Non-compliant cloud infrastructure
Failure to maintain domestic backups where required
Regulatory reporting failures
Administrative sanctions by the BRSA
The most dangerous mistake is treating digital banking as a simple app-based business. In legal terms, digital banking is still banking. The regulatory burden is high because customer funds, credit relationships, financial stability, consumer rights, and confidential data are involved.
17. Compliance Checklist for Digital Banks in Turkey
A digital bank or fintech partner entering the Turkish market should consider the following compliance steps:
Classify the business model correctly.
Determine whether a full banking license, BaaS partnership, payment license, or other authorization is required.
Review Banking Law No. 5411 and BRSA secondary legislation.
Assess minimum paid-up capital and shareholder requirements.
Prepare a detailed licensing strategy.
Design remote onboarding in compliance with applicable rules.
Establish AML and KYC systems.
Prepare cybersecurity and information systems governance.
Review cloud, outsourcing, and vendor contracts.
Prepare privacy notices and data processing documentation.
Ensure compliance with banking secrecy rules.
Draft customer agreements and digital contract flows.
Prepare complaint handling procedures.
Create audit trails and record retention systems.
Review consumer credit and fee disclosures.
Assess BaaS interface provider permissions.
Ensure that customer-facing branding is not misleading.
Prepare regulatory reporting procedures.
Monitor BRSA, MASAK, and KVKK developments continuously.
This checklist should be adapted to the specific model. A licensed digital bank, a traditional bank offering BaaS, and a fintech interface provider do not have identical legal obligations.
18. Why Legal Support Is Important in Digital Banking
Digital banking projects require careful legal planning. A company may have strong technology, customer demand, and investment backing, but without correct legal structuring, the business may face licensing problems, regulatory intervention, contract disputes, customer complaints, or banking relationship issues.
A fintech and banking lawyer can assist with:
Digital banking licensing analysis
BRSA application strategy
Corporate and shareholder structuring
Banking-as-a-Service contracts
Interface provider compliance
Remote onboarding legal review
Customer agreement drafting
Data protection compliance
Banking secrecy analysis
AML and KYC policies
Cybersecurity and outsourcing contracts
Consumer protection review
Regulatory correspondence
Administrative sanction defense
Fintech litigation and dispute resolution
Legal support is most effective when involved at the product design stage. In digital banking, compliance cannot be added at the end. It must be integrated into the business model, customer journey, data architecture, and contractual structure from the beginning.
Conclusion
Digital banking law in Turkey provides a modern legal framework for branchless banking and Banking-as-a-Service models. The regulation allows banks to serve customers through electronic channels instead of traditional branches, while also imposing strict requirements on capital, licensing, customer onboarding, cybersecurity, data protection, AML compliance, outsourcing, consumer disclosures, and regulatory supervision.
The key point is that digital banks are still banks. They are not ordinary technology companies. They must comply with Banking Law No. 5411, BRSA regulations, information systems rules, remote identification requirements, personal data protection law, AML legislation, and consumer protection principles.
For fintech companies, the Banking-as-a-Service model creates significant opportunities, but it also requires careful legal structuring. Interface providers must avoid misleading customers, must comply with security and confidentiality obligations, and may need BRSA permission depending on their role.
Turkey’s digital banking framework offers strong opportunities for innovation, financial inclusion, embedded finance, and customer-friendly banking services. However, these opportunities come with regulatory responsibility. Companies that build legally compliant, secure, transparent, and well-governed digital banking models will be better positioned to gain customer trust, regulatory confidence, investor support, and long-term market success.
Yanıt yok