Introduction
Banking as a Service, commonly known as BaaS, is one of the most important legal and commercial developments in modern financial technology. It allows a licensed bank to provide banking services through the digital interface of another company. This structure enables fintech platforms, e-commerce businesses, digital marketplaces, mobility companies, loyalty programs, accounting software providers, and other technology businesses to integrate financial services into their customer journey without becoming a bank themselves.
In Turkey, Banking as a Service is not an informal commercial partnership. It is a regulated banking model. The main legal framework is the Regulation on the Operating Principles of Digital Banks and Banking as a Service Model, published by the Banking Regulation and Supervision Agency, known as the BRSA or BDDK. The regulation contains a separate section on the Banking as a Service model and defines the legal relationship between the service bank, the interface provider, and the customer. It states that a service bank may provide BaaS only to domestically resident interface providers and only within the framework of its own operating permission.
BaaS is closely connected with embedded finance. Embedded finance means placing financial services inside a non-bank digital environment. For example, a marketplace may offer payment accounts to sellers, a mobility application may offer wallet-linked banking features, a software platform may offer business accounts to SMEs, or a retail application may allow users to access financial products without leaving the platform. However, the legal structure behind these services must be carefully designed. The fact that the customer sees the fintech company’s mobile app does not mean that the fintech company is the bank.
This article explains how Banking as a Service is regulated in Turkey, the roles of service banks and interface providers, customer contract requirements, data protection obligations, cybersecurity standards, AML and KYC duties, consumer protection issues, and legal risks for embedded finance models.
1. What Is Banking as a Service?
Banking as a Service is a regulated cooperation model where a licensed bank provides banking services through the interface of a third-party company. The third-party company is generally called an interface provider. The bank that provides the actual banking service is called the service bank.
In a typical BaaS model, the customer uses a mobile application, website, platform, or digital dashboard operated by the interface provider. Through that interface, the customer may access a banking service supplied by the service bank. The service may involve account opening, payment-related functions, loans, cards, deposits, participation banking products, or other banking services permitted under the service bank’s license.
The defining legal point is that the banking service remains on the balance sheet of the service bank. The BDDK regulation provides that the service bank decides whether to provide the banking service to the customer through the interface provider’s interface, including the credit allocation decision, and that the banking services offered to the customer are carried out on the balance sheet of the service bank.
This means that BaaS does not allow an unlicensed company to act as a bank. Instead, it allows a licensed bank to distribute banking services through a regulated interface relationship. The interface provider may improve user experience, customer acquisition, digital design, data flow, and platform integration, but it must not mislead customers into believing that it is the licensed bank unless it actually holds the relevant authorization.
2. Legal Framework of BaaS in Turkey
The Turkish legal framework for Banking as a Service is based mainly on:
Banking Law No. 5411
Regulation on the Operating Principles of Digital Banks and Banking as a Service Model
Regulation on Information Systems and Electronic Banking Services of Banks
Regulation on Remote Identification Methods Used by Banks
Regulation on Support Services / Outsourcing by Banks
Law No. 6493 on Payment Services and Electronic Money Institutions
Law No. 5549 on Prevention of Laundering Proceeds of Crime
Law No. 6698 on the Protection of Personal Data
Consumer protection legislation
BRSA decisions and secondary legislation
Banking Law No. 5411 remains the central statute for banking activities in Turkey. Its contents include permissions for establishment and operation, corporate governance, internal systems, audit committee rules, and obligations regarding internal systems. The BaaS regulation does not remove the service bank from ordinary banking law. It creates a special distribution and cooperation model within the banking regulatory framework.
The Regulation on Information Systems and Electronic Banking Services of Banks is also critical. Its purpose is to set minimum procedures and principles for the management of bank information systems, electronic banking services, risk management, and information systems controls. It also defines open banking services as electronic distribution channels through which customers or persons acting for them may execute banking transactions or instruct a bank through remote access methods such as APIs and web services.
Therefore, BaaS in Turkey should be understood as a combination of banking law, electronic banking law, outsourcing law, data protection law, AML law, and contract law.
3. Parties in a BaaS Model: Service Bank, Interface Provider, and Customer
A Banking as a Service model usually includes three main actors.
The first actor is the service bank. This is the licensed bank that provides banking services under its own operating permission. It is the regulated institution responsible for the banking product, regulatory compliance, balance sheet treatment, customer contract, and supervisory obligations.
The second actor is the interface provider. This is the company that owns or operates the digital interface through which the customer accesses the service bank’s banking services. The interface provider may be a fintech startup, e-commerce platform, retail company, software company, digital marketplace, or another technology-driven business. Under the BaaS regulation, banks themselves cannot be interface providers.
The third actor is the customer. The customer may be a consumer, SME, platform seller, merchant, freelancer, or other user depending on the business model. The customer may interact mainly with the interface provider’s application, but the actual banking service is provided by the service bank.
This triangular relationship must be transparent. Customers must understand who provides the banking service, who operates the interface, who holds regulatory responsibility, where complaints may be submitted, and what legal terms apply.
4. The Service Bank’s Legal Role
The service bank is the core regulated entity in a BaaS model. It cannot outsource its legal identity or regulatory responsibility to the interface provider. Even if the customer journey takes place through the interface provider’s application, the banking service is provided by the licensed bank.
Under the Turkish regulation, the service bank may provide BaaS only within the framework of its own operating permission. This means that a bank cannot use BaaS to provide services it is not otherwise authorized to provide.
The service bank’s responsibilities generally include:
Determining whether the customer may receive the banking service
Establishing the contractual relationship with the customer
Ensuring compliance with banking law
Making credit allocation decisions where credit products are offered
Performing or controlling customer identification
Ensuring AML and KYC compliance
Ensuring information security and transaction security
Protecting banking secrets and customer data
Monitoring the interface provider’s compliance
Keeping records and audit trails
Reporting required information to the BRSA
Handling customer complaints within the applicable framework
Ensuring that banking services remain within the scope of its license
The regulation also requires the service bank to provide information on its website regarding the scope of services provided through BaaS, including the list of interface providers and the banking services provided. It must also send copies of service contracts and material amendments to the BRSA within the prescribed period.
5. The Interface Provider’s Legal Role
The interface provider is not merely a marketing partner. It performs a regulated and sensitive role because it mediates customer access to banking services. Under the BaaS regulation, the interface provider qualifies as an outsourcing institution providing services to the service bank in relation to mediating the establishment of the contractual relationship between the service bank and the customer.
This classification is important. It means that the interface provider may be subject to BRSA permission and regulatory scrutiny. The regulation states that the relevant interface provider must be authorized by the BRSA Board as an outsourcing institution before the service bank signs a service contract with it. It also states that an interface provider’s ability to work with more than one service bank is subject to BRSA Board permission.
The interface provider must also avoid misleading customers. The regulation prohibits interface providers from using the names of payment service providers, banks, or other expressions without the necessary permissions in a way that creates the impression that they are operating like a payment service provider or bank.
In practical terms, the interface provider should carefully review:
App screens
Landing pages
Advertising language
User agreements
Customer onboarding statements
Branding and logo usage
Customer support scripts
Fee disclosures
Complaint channels
Privacy notices
Marketing campaigns
Product descriptions
The legal risk is simple but serious: if a fintech platform looks like a bank, speaks like a bank, and sells banking services as if they were its own products, regulators and customers may treat the structure as misleading or non-compliant.
6. Customer Contractual Relationship
A valid BaaS structure requires a contractual relationship between the customer and the service bank. The customer may use the interface provider’s digital channel, but the customer must have a legal relationship with the bank providing the banking service.
The BDDK regulation states that, for the service bank to provide banking services to the customer of the interface provider, a contractual relationship must be established between the customer and the service bank. This requirement is the backbone of Turkish BaaS law.
A customer contract in a BaaS model should clearly explain:
The identity of the service bank
The identity and role of the interface provider
The scope of banking services
The customer’s rights and obligations
Fees, commissions, and charges
Complaint and customer support channels
Data processing and confidentiality rules
Authentication and security obligations
Account access rules
Termination and suspension rights
Liability for unauthorized transactions
Applicable consumer protection rules
Governing law and dispute resolution
The interface provider’s terms of service should not contradict the service bank’s customer contract. If the platform’s app terms say one thing and the bank’s framework agreement says another, the structure may generate consumer disputes, regulatory criticism, and liability allocation problems between the parties.
7. Embedded Finance and Commercial Use Cases
Embedded finance is the commercial reason why BaaS has become so important. Instead of forcing customers to leave a digital platform and visit a bank separately, embedded finance allows financial services to appear inside the customer’s existing digital environment.
Examples of BaaS and embedded finance use cases in Turkey may include:
A marketplace offering seller banking tools
A retail platform offering customer finance products
A mobility platform offering card or account services
A payroll software company offering salary accounts
An accounting platform offering SME banking products
A loyalty application offering bank-linked financial features
A B2B platform offering invoice financing through a bank
A digital wallet provider integrating banking services
A SaaS platform offering cash management features
A fintech app offering bank-provided credit products
However, the legal classification must be reviewed carefully. Some models may fall within banking law, while others may also trigger payment services law under Law No. 6493. Law No. 6493 regulates payment and securities settlement systems, payment services, payment institutions, and electronic money institutions. If the interface provider also provides payment initiation, account information services, electronic money issuance, or other payment services, a separate payment services license may be required.
This is why embedded finance should not be treated as a single legal category. It is a commercial concept that may contain several regulated activities.
8. BaaS, Open Banking, and APIs
Banking as a Service often operates through APIs, web services, mobile SDKs, and other digital integration tools. The Regulation on Information Systems and Electronic Banking Services of Banks defines open banking services by reference to remote access methods such as APIs, web services, and file transfer protocols.
In a BaaS model, APIs are not just technical connectors. They are regulated access channels. The service bank must ensure that the interface provider’s channel complies with authentication and transaction security obligations. The BaaS regulation provides that the interface provider and the service bank are jointly responsible for ensuring that the mobile application or browser-based interface used by the customer complies with electronic banking authentication and transaction security obligations.
API contracts and technical schedules should address:
Authentication standards
Encryption
API access controls
Transaction authorization
Logging and audit trails
Rate limits
Incident response
Data minimization
Testing and certification
Version control
Service levels
Business continuity
Fraud monitoring
Regulatory audit access
Termination and migration
A weak API contract may create serious legal exposure. If an unauthorized transaction occurs because of an interface vulnerability, both the service bank and the interface provider may face disputes over responsibility.
9. Information Systems and Cybersecurity
Cybersecurity is one of the most important legal requirements in BaaS. The customer accesses banking services through the interface provider’s systems, but the underlying regulated service belongs to the bank. Therefore, both parties must maintain strong information security controls.
The banking information systems regulation requires banks to issue information systems policies, procedures, and process documents for managing risks arising from the use of information systems and protecting information assets. It also requires information security policies to be approved by the board of directors and reviewed at least annually.
BaaS cybersecurity controls should include:
Secure software development
Penetration testing
Strong customer authentication
Encryption of data in transit and at rest
API security
Device and session monitoring
Fraud detection
Access management
Incident response
Business continuity
Disaster recovery
Security logging
Vendor monitoring
Independent audit rights
Regular vulnerability assessments
Customer notification procedures
The BaaS regulation also gives the service bank a right to terminate the contract immediately if the interface provider’s information systems and service channels used to process confidential data fail to meet the requirements under the electronic banking information systems regulation, or if the BRSA Board revokes the interface provider’s outsourcing permission.
This is a strong regulatory signal. In BaaS, technical weakness is not only a technology problem. It can become a contract termination event and a regulatory compliance failure.
10. Data Protection, Banking Secrecy, and Customer Secrets
BaaS models involve extensive data sharing. The interface provider may collect or process customer information during onboarding, authentication, transaction instruction, customer support, analytics, fraud prevention, and complaint management. The service bank may share certain confidential information with the interface provider where necessary for the model.
In Turkey, personal data protection is governed by Law No. 6698 on the Protection of Personal Data. The official text states that the law aims to protect fundamental rights and freedoms, particularly privacy, in relation to the processing of personal data, and to set binding obligations, principles, and procedures for persons processing personal data.
BaaS also raises banking secrecy and customer secret issues. The BaaS regulation refers to the confidentiality and security of data qualified as customer secret and requires contractual provisions ensuring confidentiality, security, auditability, and compliance with authentication and transaction security criteria.
A BaaS data protection program should include:
Clear privacy notices
Data controller and processor role analysis
Data processing agreements
Banking secrecy clauses
Customer consent mechanisms where required
Data minimization
Purpose limitation
Retention schedules
Access controls
Cross-border transfer assessment
Domestic backup requirements where applicable
Breach notification procedures
Vendor controls
Customer rights procedures
Audit trails
One of the most dangerous mistakes in embedded finance is excessive data collection. The interface provider may be tempted to use banking data for marketing, scoring, personalization, or unrelated platform analytics. Such use must be assessed carefully under personal data protection, banking secrecy, customer consent, and contractual limitations.
11. AML, KYC, and Financial Crime Compliance
BaaS does not eliminate anti-money laundering obligations. In fact, embedded finance may increase AML risk because customer acquisition takes place through a non-bank digital platform. The service bank must ensure that customer identification, risk scoring, sanctions screening, transaction monitoring, suspicious transaction reporting, and recordkeeping obligations are properly fulfilled.
Turkey’s main AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime. MASAK’s official English source states that obliged parties must report suspicious transactions to MASAK and includes obligations regarding reporting, information, documents, and confidentiality of suspicious transaction reports.
A BaaS AML framework should address:
Who performs customer due diligence
How remote identification is conducted
How customer data is transmitted to the service bank
How beneficial ownership is checked
How sanctions and PEP screening are performed
How suspicious transactions are detected
How alerts are escalated
Who files suspicious transaction reports
How records are retained
How platform-specific fraud signals are shared
How high-risk customers are handled
How account freezes or restrictions are communicated
The interface provider may have valuable behavioral and platform data that the bank does not otherwise have. For example, the platform may know whether a merchant account is newly created, whether there is unusual seller activity, whether transactions are inconsistent with business history, or whether multiple accounts are linked to the same device. A good BaaS compliance model should allow legally appropriate sharing of such risk signals with the service bank.
12. Consumer Protection and Transparency
Customer transparency is central to BaaS. The customer must not be confused about whether they are dealing with the platform or the bank. The BaaS regulation requires the service contract between the service bank and the interface provider to include matters such as disclosure that banking services are provided by the service bank, the bank’s website address, the services offered by the bank, responsibilities of the service bank, customer service contact details, complaint channels, standard agreements, logo and name usage, and rules on confidential data.
Consumer protection issues may arise in:
Misleading app design
Unclear identity of the service bank
Hidden fees
Unclear complaint channels
Unauthorized transactions
Account suspension
Credit product disclosures
Use of customer data
Cancellation and termination
Disputes over responsibility between the bank and interface provider
Marketing of banking products by non-bank platforms
Confusing branding and logos
If a customer suffers a loss, the first practical question will be: who is responsible? The bank may say the issue arose from the interface provider’s system. The interface provider may say the banking product belongs to the bank. A well-drafted legal structure should prevent the customer from being left between two parties.
13. BaaS Agreements: Key Clauses
The BaaS agreement between the service bank and interface provider is the most important commercial and legal document in the structure. It should not be treated as a standard technology service contract. It is a regulated financial services agreement.
A strong BaaS agreement should include:
Definitions of services
Regulatory status of each party
Customer onboarding process
Remote identification responsibilities
Customer contract formation
Data sharing and confidentiality
Banking secrecy obligations
AML and KYC responsibilities
Authentication and transaction security standards
API specifications
Service levels
Incident reporting
Business continuity
Audit rights
Regulatory access
Subcontracting restrictions
Cloud service rules
Use of trademarks and branding
Marketing approval procedures
Complaint handling
Fee and revenue sharing
Liability and indemnity
Termination rights
Transition assistance
Data return and deletion
Recordkeeping
Change management
Regulatory notification obligations
The BDDK regulation specifically states that the service contract must include issues concerning customer secret confidentiality and security, compliance with identity verification and transaction security criteria, audit rights allowing the service bank to examine relevant information, documents, and records, immediate termination rights in certain cases, and prohibition on transfer of the services provided by and to the interface provider.
For this reason, BaaS agreements require coordinated legal review by banking, fintech, data protection, technology, consumer, AML, and commercial contract specialists.
14. Interface Provider Permission and Multi-Bank Models
A key legal issue for fintech platforms is whether they can work with multiple service banks. The Turkish regulation states that the ability of an interface provider to work with more than one service bank is subject to BRSA Board permission.
This matters for business strategy. A fintech platform may want to avoid dependence on one bank. It may wish to use different banks for different products, different customer segments, different funding sources, or redundancy. However, multi-bank BaaS cannot be treated as a purely commercial choice. It requires regulatory planning.
Multi-bank BaaS models raise additional questions:
How will customer consent be managed?
Can the user see which bank provides each product?
How will data be separated between banks?
How will conflicts of interest be handled?
How will AML alerts be shared or segregated?
How will outages be managed?
Can one bank access data related to another bank’s services?
How will branding and disclosures be presented?
How will complaints be routed?
What happens if one bank terminates the relationship?
A multi-bank embedded finance model may be commercially attractive, but it is legally more complex than a single-bank model.
15. Relationship with Payment Services and E-Money Regulation
Many embedded finance models combine banking, payments, e-money, and wallet features. This is where legal classification becomes especially important.
If the interface provider only provides a regulated interface for the service bank’s banking product, BaaS rules may be the primary framework. However, if the interface provider also provides payment services, payment initiation services, account information services, e-money issuance, digital wallet services, or merchant acquiring, Law No. 6493 may become relevant. Law No. 6493 applies to payment and securities settlement systems, payment services, payment institutions, and electronic money institutions.
The BaaS regulation itself states that the BRSA permission granted to an interface provider does not remove requirements arising from other relevant legislation, including operating permission requirements for certain payment services under Law No. 6493.
This means that a fintech company may need more than one legal analysis. It may need to determine whether it is:
An interface provider under BaaS rules
A payment institution
An electronic money institution
A technical service provider
A merchant platform
A data processor
An outsourcing service provider
A representative or agent
A non-regulated software provider
The wrong classification can lead to operating without the required license, misleading customers, invalid contractual assumptions, and regulatory sanctions.
16. Legal Risks in BaaS Models
BaaS creates strong opportunities, but it also creates significant legal risks. Common risks include:
Operating as an interface provider without required BRSA permission
Creating the impression that the interface provider is a bank
Offering services outside the service bank’s operating permission
Failing to establish a valid customer-bank contract
Weak remote onboarding controls
Inadequate AML and KYC arrangements
Unclear allocation of complaint responsibility
Improper data sharing
Violation of banking secrecy
Unlawful use of customer data for platform analytics
API security weaknesses
Lack of audit rights
Uncontrolled subcontracting
Insufficient cloud compliance
Misleading advertising
Hidden fees
Failure to comply with consumer protection rules
Failure to notify or report contract changes
Non-compliant multi-bank structure
Failure to comply with Law No. 6493 where payment services are involved
The most serious risk is regulatory recharacterization. If the structure is presented as BaaS but the interface provider effectively controls the banking service, makes credit decisions, holds itself out as the bank, handles customer funds without authority, or operates regulated payment services without a license, the model may be challenged by regulators.
17. Practical Compliance Checklist for BaaS Projects in Turkey
A BaaS project in Turkey should follow a structured legal compliance process:
Classify the proposed embedded finance model.
Identify the service bank and the banking products involved.
Confirm that the service bank’s operating permission covers the proposed services.
Determine whether the interface provider requires BRSA Board authorization.
Assess whether Law No. 6493 payment or e-money licensing is triggered.
Prepare the BaaS service agreement.
Prepare the customer contract with the service bank.
Align platform terms with the bank’s customer documentation.
Design customer disclosures clearly.
Review app screens, marketing materials, and branding.
Prepare AML and KYC workflows.
Map customer data flows.
Prepare KVKK privacy notices and data processing agreements.
Review banking secrecy obligations.
Prepare API security and authentication controls.
Establish incident response procedures.
Prepare complaint routing rules.
Set audit rights and regulatory access mechanisms.
Review outsourcing and subcontracting.
Plan regulatory notifications and reporting.
Create a termination and migration plan.
This checklist should be customized for each project. A marketplace seller-account model, SME financing tool, payroll banking platform, mobility wallet, and retail embedded credit product will each require different legal analysis.
18. Why Legal Support Is Essential for BaaS and Embedded Finance
BaaS projects are legally complex because they combine banking regulation, fintech strategy, software architecture, data protection, consumer law, cybersecurity, AML compliance, and commercial contracts. A product team may design a seamless customer experience, but the legal structure must support that experience.
A fintech and banking lawyer can assist with:
BaaS regulatory classification
Service bank and interface provider role analysis
BRSA permission strategy
Embedded finance contract drafting
Customer agreement review
API and technology contract review
AML and KYC policy design
KVKK and banking secrecy compliance
Consumer protection review
Marketing and disclosure review
Payment services licensing analysis
Outsourcing and cloud compliance
Regulatory correspondence
Dispute resolution planning
Administrative sanction defense
Legal support should begin before product launch. In BaaS, compliance cannot be added after the interface is built. The customer journey, contractual structure, data architecture, API design, complaint routing, and regulatory responsibility must be planned together.
Conclusion
Banking as a Service in Turkey creates major opportunities for embedded finance. It allows licensed banks to provide banking services through the digital interfaces of fintech companies and other platforms. This can expand financial access, improve customer experience, support SME services, and enable new digital business models.
However, BaaS is not a way for unlicensed companies to operate like banks. Turkish law places the licensed service bank at the center of the model. The service bank must remain responsible for the banking service, customer relationship, regulatory compliance, authentication, transaction security, customer data, and supervisory obligations. The interface provider also has significant duties, including regulatory permission where required, customer transparency, data security, confidentiality, and compliance with the BaaS contract.
The most important legal principle is transparency. Customers must know which institution provides the banking service, what role the interface provider plays, what contract governs the service, how complaints will be handled, how their data will be used, and who is responsible for regulated banking functions.
For fintech companies and platforms, BaaS can be a powerful route into financial services. But it must be structured carefully. If the model also involves payment services, electronic money, digital wallets, lending, data analytics, or multi-bank integration, additional regulatory analysis is required.
A successful BaaS model in Turkey is not merely a technical integration. It is a regulated legal architecture. Companies that build this architecture correctly will be better positioned to scale embedded finance products, gain regulatory confidence, protect customers, attract banking partners, and reduce legal risk.
Yanıt yok