Introduction
Digital banking in Turkey has become one of the most important developments in the Turkish financial sector. Traditional banking services are no longer limited to physical branches, printed forms and face-to-face customer onboarding. Today, banks and fintech companies provide financial services through mobile applications, internet banking platforms, APIs, digital onboarding systems, embedded finance structures and Banking-as-a-Service models.
Turkey has responded to this transformation by creating a specific regulatory framework for digital banks and service model banking. The main legal instrument is the Regulation on the Operating Principles of Digital Banks and Banking as a Service Model, published in the Official Gazette dated 29 December 2021 and effective as of 1 January 2022. The regulation determines the principles for branchless banks that provide services through electronic banking channels and for the provision of banking services as a service model to fintech companies and other businesses.
Digital banking in Turkey is not an unregulated technology activity. A digital bank is still a bank. It must comply with Banking Law No. 5411, BRSA licensing rules, capital requirements, corporate governance obligations, internal systems requirements, information security standards, customer protection rules, anti-money laundering obligations and banking confidentiality principles. Similarly, Banking-as-a-Service does not allow fintech companies to act as banks without authorization. It creates a regulated cooperation model between licensed banks and eligible interface providers.
This article explains the legal framework for digital banking in Turkey, online bank licensing, Banking-as-a-Service models, open banking, fintech partnerships, data security, customer onboarding and compliance risks.
1. What Is Digital Banking Under Turkish Law?
Under Turkish law, a digital bank is a credit institution that provides banking services through electronic banking service distribution channels instead of physical branches. This definition is important because it shows that a digital bank is not merely a software company or a fintech platform. It is a licensed credit institution operating through digital channels.
Digital banks may operate as deposit banks or participation banks, depending on their license type. As a general principle, digital banks may perform all activities that credit institutions can perform, subject to whether they are established as deposit banks or participation banks. However, they must comply with the Digital Banking Regulation in addition to all other legal obligations applicable to credit institutions under Banking Law No. 5411 and related regulations.
This means that digital banks are not subject to a lighter legal regime simply because they do not rely on physical branches. They must comply with the same core banking principles applicable to conventional banks, including licensing, capital adequacy, internal control, risk management, internal audit, information systems security, customer confidentiality and BRSA supervision.
The main difference is operational. A digital bank reaches customers primarily through electronic banking channels. Its competitive advantage comes from lower branch costs, faster onboarding, data-driven services, personalized products, API integrations and scalable digital infrastructure. However, its legal responsibilities remain extensive.
2. Main Legal Sources Governing Digital Banking in Turkey
The legal framework of digital banking in Turkey is based on several different sources.
The first and most important source is Banking Law No. 5411. This law regulates the establishment, operation, supervision, corporate governance, internal systems, confidentiality, capital adequacy and permitted activities of banks in Turkey. Banking Law No. 5411 also contains provisions on establishment permission, operating permission, foreign bank branches, share transfers and revocation of operating permission.
The second source is the Digital Banking Regulation, which specifically governs digital banks and Banking-as-a-Service. This regulation was issued based on several articles of Banking Law No. 5411, including provisions on banking activities, establishment, operating permission, corporate governance, internal systems and BRSA authority.
The third source is the Regulation on Information Systems and Electronic Banking Services of Banks. This regulation sets minimum procedures and principles for managing banks’ information systems, providing electronic banking services, managing related risks and establishing information systems controls. It is especially important for digital banks because their entire business model depends on secure, reliable and continuous digital infrastructure.
The fourth source is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and the secondary regulations of the Central Bank of the Republic of Türkiye. These rules become relevant when digital banking models involve payment services, electronic money, open banking, account information services, payment initiation services or fintech payment integrations. The CBRT states that payment services in Turkey are regulated and supervised under Law No. 6493 and related secondary legislation.
Therefore, digital banking in Turkey must be analyzed as a multi-layered regulatory field. It combines banking law, payment services law, information systems regulation, fintech regulation, data protection, consumer law and anti-money laundering compliance.
3. BRSA Licensing for Digital Banks
A digital bank cannot operate in Turkey without authorization from the Banking Regulation and Supervision Agency, commonly known as the BRSA or BDDK. Since a digital bank is a credit institution, it must obtain the required establishment and operating permissions under Turkish banking legislation.
The Digital Banking Regulation provides that the general conditions for establishment and operating permissions of digital banks are the same conditions applicable to banks under the relevant BRSA rules on bank establishment and operating permission. The provisions of the Digital Banking Regulation apply as additional requirements.
This is a crucial point for investors. A digital bank license is not a simple fintech registration. It is a full banking license with additional technology-related requirements. The applicant must demonstrate transparent ownership, adequate capital, qualified founders, competent management, sound corporate governance, effective internal systems, reliable information systems, a realistic business plan and compliance readiness.
The BRSA evaluates whether the proposed digital bank is financially, operationally and technically capable of providing banking services safely. A strong application should include market analysis, target customer segments, financial projections, cybersecurity arrangements, outsourcing policies, customer complaint mechanisms, electronic contract procedures, remote identity verification systems and risk management structures.
4. Minimum Capital Requirement for Digital Banks
Capital is one of the most important requirements for a digital bank license. The Digital Banking Regulation provides that the minimum paid-up capital required for digital banks to obtain operating permission is TRY 1 billion, consisting of cash and free from all kinds of fictitious transactions. The BRSA Board is authorized to increase this amount.
This requirement reflects the regulatory view that digital banks must have sufficient financial strength even if they do not operate a traditional branch network. Digital banks face significant technology, cybersecurity, operational, credit, compliance and customer service risks. A lower-cost digital model does not eliminate the need for strong capital.
In practice, investors should not treat the minimum capital amount as the only financial requirement. The BRSA may examine whether the proposed capital is sufficient for the bank’s business plan, technology investment, staffing, customer acquisition strategy, risk profile and projected losses. A digital bank that plans rapid growth, large-scale lending or complex fintech integrations may need a stronger capital plan.
5. Management and Information Systems Expertise
Digital banking requires both banking knowledge and technology expertise. The Digital Banking Regulation states that managerial staff must have sufficient knowledge and experience to understand risks specific to the digital bank’s business model. It also provides that the top-level manager responsible for information systems should be appointed at least at the level of assistant general manager, and at least one board member must have at least ten years of professional experience in information systems management.
This rule is highly significant. It shows that digital banking governance cannot be dominated only by traditional finance professionals. Since the bank’s operational core is digital infrastructure, the board and senior management must be able to understand technology risk, cybersecurity, system continuity, outsourcing, cloud architecture, API security, authentication processes and electronic banking controls.
A digital bank’s governance structure should therefore include strong reporting lines between the board, audit committee, risk management, internal audit, compliance, information security and technology teams. The bank should also maintain a clear technology risk appetite, incident response plan, business continuity plan and information security policy.
6. Business Plan and Activity Program for Digital Banks
A digital bank application must include a detailed business plan and activity program. The Digital Banking Regulation requires applicants to provide information on their target audience, including groups such as students, homemakers, young people under eighteen and SMEs, as well as the products and services planned to meet the needs of those groups. It also requires market size and market gap analysis supported by numerical data, pricing policy for the next five years, projected customer numbers, financial projections and assumptions showing when the investment will reach break-even.
This requirement indicates that the BRSA expects a digital bank to present a realistic and measurable business strategy. A vague plan based only on “digital transformation” or “fintech innovation” would not be sufficient. The applicant should explain which market problem it solves, why customers would use its services, how it will compete with existing banks and fintech companies, and how it will remain financially sustainable.
The activity program must also include technical information, such as system and network architecture, critical systems, information systems strategy, information security management, project management, IT operations management, accessibility management, continuity management, external service providers, customer request and complaint workflows, transaction security and identity verification procedures.
7. Information Systems Competency Assessment
Before a digital bank receives operating permission, the BRSA must be satisfied that its information systems are adequate. The Digital Banking Regulation provides that the competency assessment of the applicant’s information systems by the BRSA’s on-site inspection unit is required for operating permission. If necessary, the BRSA may require an audit report on information systems and the adequacy and effectiveness of controls from an authorized audit firm.
This requirement is one of the most important differences between ordinary company licensing and digital bank licensing. In a digital bank, failure of information systems may directly affect customer access, payment services, account security, regulatory reporting, fraud prevention and business continuity. Therefore, technical readiness is not secondary; it is central to the licensing process.
A digital bank should be prepared to demonstrate secure authentication, access management, encryption, logging, monitoring, transaction controls, disaster recovery, penetration testing, vulnerability management, incident response, outsourcing governance and business continuity.
8. Banking-as-a-Service Model in Turkey
Banking-as-a-Service, or BaaS, is a regulated model under Turkish law. The Digital Banking Regulation defines Banking-as-a-Service as a model where customers can perform banking transactions by directly connecting with the systems of service banks through open banking services, via the interface offered by interface providers. A service bank is the bank that provides the Banking-as-a-Service infrastructure. An interface provider is a capital company that enables customers to access banking services offered by a service bank through the interface provider’s mobile application or internet browser-based interface.
In simple terms, BaaS allows a licensed bank to provide banking services through the digital interface of another business. This model is especially relevant for fintech companies, e-commerce platforms, mobility companies, telecommunications companies, marketplace operators and other digital platforms that want to offer embedded financial services to their users.
However, BaaS does not mean that the interface provider becomes a bank. The regulated banking service remains on the balance sheet and under the responsibility of the service bank. The service bank makes the decision whether to provide banking services to the customer, including loan allocation decisions, and the banking services are carried out on the balance sheet of the service bank.
9. Who Can Be an Interface Provider?
The Digital Banking Regulation provides that a service bank may provide Banking-as-a-Service only to domestically resident interface providers and only within the scope of its own operating permission. It also states that banks cannot be interface providers.
This means that the Turkish BaaS model is designed around cooperation between a licensed bank and a non-bank interface provider established in Turkey. The interface provider may be a fintech company or another business operating a digital platform, but it cannot present itself as a bank unless it has the necessary authorization.
Interface providers must be careful in their trade names, advertisements, customer contracts and public communications. Without the necessary permissions, they may not use expressions that create the impression that they are banks, payment institutions, electronic money institutions or institutions collecting deposits, participation funds or payment funds.
This rule is designed to prevent customer confusion. The customer must understand who provides the banking service, who holds the funds, who is responsible for the account or credit product, and which entity is merely providing the digital interface.
10. Customer Contract and Remote Onboarding in BaaS
For a service bank to provide banking services to a customer of an interface provider, a contractual relationship must be established between the customer and the service bank. If the contract is established electronically, the process must comply with the rules on remote identity verification and electronic contract formation, and the customer’s identity must be determined by the service bank.
This is a central legal point. In a BaaS model, the interface provider may operate the app or browser-based interface, but the banking relationship is between the customer and the licensed service bank. The service bank cannot avoid its obligations by saying that the customer came through a third-party platform.
The regulation also requires that where the process is initiated and completed through the interface provider’s service channels, those channels must comply with security criteria under the Regulation on Information Systems and Electronic Banking Services of Banks. The service bank is responsible for ensuring that the contract content shown to the customer is approved properly.
11. Joint Responsibility for Authentication and Transaction Security
The Digital Banking Regulation imposes joint responsibility on the interface provider and the service bank for ensuring that the interface used by the customer complies with authentication and transaction security obligations under the electronic banking rules. The service bank cannot provide BaaS services or receive outsourcing services from interface providers that do not satisfy these obligations or whose systems are insufficient.
This rule is highly important in practice. Interface providers cannot treat security as a matter solely belonging to the bank. If their mobile application, web interface, API connection or user authentication process is weak, the entire BaaS model may become non-compliant.
For this reason, BaaS agreements should include detailed provisions on authentication, transaction monitoring, fraud prevention, data security, audit rights, incident reporting, service levels, customer notifications, business continuity and termination rights.
12. Interface Provider as an Outsourcing Institution
The Digital Banking Regulation treats the interface provider as an outsourcing institution in certain respects. Where the interface provider mediates the establishment of the contractual relationship between the customer and the service bank or enables the provision of banking services through its interface, it qualifies as an outsourcing institution providing services to the bank. The provision of outsourcing services to a service bank as an interface provider is subject to BRSA Board permission.
This means that BaaS is not merely a private commercial contract between a bank and a fintech company. It has a regulatory permission dimension. The service bank must assess the interface provider’s systems, controls, legal status, operational capacity and security level. The BRSA may determine additional conditions for interface providers.
This also affects due diligence. Before entering into a BaaS partnership, a bank should conduct legal, technical, financial and operational due diligence on the interface provider. Likewise, the interface provider should understand that it is entering a regulated environment where audit rights, data localization, confidentiality and regulatory reporting are essential.
13. Data, Customer Secrets and Domestic Backup Requirements
Customer data is one of the most sensitive issues in digital banking and BaaS. The Digital Banking Regulation requires service contracts to include provisions on confidential data transferred to the interface provider. The regulation also requires domestic system and data backups where confidential data are processed by the interface provider or its service providers.
This creates a significant compliance obligation for fintech companies and technology providers. If an interface provider processes customer secrets or confidential banking data, it must ensure that data security, confidentiality, processing limits, backup location and cloud infrastructure comply with Turkish banking rules.
The BaaS contract must also allow the service bank to audit the interface provider and examine relevant information, documents and records. If the interface provider’s systems fail to meet the required standards, or if the BRSA permission is revoked, the service bank must be able to terminate the contract immediately.
14. Difference Between Digital Banking and Banking-as-a-Service
Digital banking and Banking-as-a-Service are related but different concepts.
A digital bank is a licensed bank that provides banking services through electronic channels instead of physical branches. It directly holds the banking license, enters into contracts with customers, manages deposits or participation funds, grants loans and carries banking risk on its own balance sheet.
A BaaS model, on the other hand, involves a licensed service bank and a non-bank interface provider. The customer accesses banking services through the interface provider’s app or website, but the actual banking service is provided by the licensed bank. The interface provider does not become a bank merely because it provides the digital front-end.
This distinction is critical for fintech companies. A company that wants to provide financial services in Turkey should first determine whether it needs a digital bank license, a payment institution license, an electronic money institution license, a crypto-asset service provider authorization, a financing company license or a BaaS partnership with a licensed bank.
15. Digital Banking, Payment Services and E-Money
Digital banking models often overlap with payment services and electronic money. For example, a mobile banking app may allow money transfers, card payments, QR payments, bill payments and wallet-like services. A fintech interface provider may also wish to offer payment initiation or account information services.
In Turkey, payment services and electronic money are regulated under Law No. 6493 and CBRT secondary legislation. The CBRT’s official payment services framework lists Law No. 6493 and several regulations relating to payment systems, payment services, QR codes, crypto assets in payments and information systems.
Therefore, a digital banking or BaaS project should not analyze only banking law. It should also evaluate whether any part of the business model falls within payment services or electronic money regulation. In some cases, a fintech company may need CBRT authorization in addition to, or instead of, a BaaS relationship.
16. Consumer Protection and Transparency
Digital banking must also comply with consumer protection principles. Online onboarding, digital contracts, service fees, credit offers, card products, complaint channels and customer notifications must be transparent and understandable.
In BaaS models, transparency is especially important because customers may interact mainly with the interface provider’s brand. The regulation requires that contracts and websites clearly show that banking services are provided by the service bank, identify the services offered, explain the responsibilities of the service bank and provide customer service contact details. It also requires the service bank’s name and logo to be visible in certain contexts.
This prevents misleading presentation. Customers should not be left uncertain about whether they are dealing with a bank, fintech company, payment institution or other financial service provider.
17. Key Legal Risks in Digital Banking and BaaS
Digital banking and BaaS projects in Turkey may create several legal risks.
The first risk is licensing risk. If a company performs banking or payment services without authorization, it may face regulatory sanctions.
The second risk is customer confusion. If the interface provider presents itself as a bank or creates the impression that it holds customer funds, the model may violate the Digital Banking Regulation.
The third risk is data and confidentiality risk. Banking data is highly sensitive, and processing customer secrets without proper legal basis, safeguards and domestic backup arrangements may create serious compliance issues.
The fourth risk is information systems risk. Weak authentication, cyber vulnerabilities, API failures, transaction errors or service interruptions may lead to customer claims and regulatory scrutiny.
The fifth risk is outsourcing risk. Since the interface provider may be treated as an outsourcing institution, service bank audit rights, BRSA permission, termination rights and operational controls must be structured carefully.
The sixth risk is consumer law risk. Digital contracts, fees, credit products and complaint procedures must comply with consumer protection rules.
18. Practical Compliance Checklist
A digital bank or BaaS project in Turkey should include a detailed compliance checklist.
For a digital bank, the checklist should cover BRSA licensing, minimum capital, ownership transparency, qualified management, board-level IT expertise, business plan, activity program, financial projections, information systems architecture, cybersecurity, internal control, risk management, internal audit, AML compliance, remote onboarding, electronic contracts, data protection, customer complaint workflows and business continuity.
For a BaaS project, the checklist should cover service bank authorization, interface provider eligibility, BRSA permission for outsourcing, customer contract structure, clear disclosure of the service bank, authentication standards, transaction security, API governance, data processing limits, domestic backups, audit rights, incident reporting, termination rights and consumer complaint channels.
Conclusion
Digital banking in Turkey offers significant opportunities for banks, fintech companies, investors and digital platforms. However, the Turkish legal framework treats digital banking as a regulated banking activity, not merely as a technology service. A digital bank must obtain BRSA authorization, satisfy capital requirements, establish strong governance and maintain secure information systems.
Banking-as-a-Service creates a legal pathway for fintech companies and other businesses to offer banking services through cooperation with licensed banks. However, the model is strictly regulated. The service bank remains responsible for the banking relationship, while the interface provider must comply with security, transparency, outsourcing, data and contractual requirements.
For any business planning to launch a digital bank, online banking platform, embedded finance product or BaaS model in Turkey, early legal analysis is essential. The correct regulatory classification, licensing strategy, data architecture, customer contract structure and compliance framework should be determined before market launch.
A well-structured digital banking project can support financial inclusion, improve customer experience and create scalable financial services. Yet success in Turkey’s digital banking market depends not only on technology and user experience, but also on full compliance with Turkish banking, fintech, payment services and information security regulations.
Yanıt yok