In the world of fintech, new business models emerge every day. One of the most talked-about models lately is undoubtedly the Banking as a Service (BaaS) business model.

This article examines the current regulation of BaaS business model in Türkiye and answers frequently asked questions about it.

What is the BaaS Business Model? What Benefits Does It Provide to Banks and Non-Bank Companies?

The BaaS (Banking as a Service) business model refers to banks providing their banking services to customers through applications or websites of non-bank companies.

Banks carry out their operations through physical and digital channels, including branches, internet banking, mobile banking, and telephone banking. As per regulations, banks must own all these channels. In other words, banks cannot provide banking services through channels that they do not possess.

However, BaaS enables banks to offer their banking products and services through electronic channels owned by non-bank companies, by imposing certain security obligations.

In this regard, BaaS can be viewed as a novel digital distribution channel. It enables banks to broaden their customer base and enhance inclusivity, making their services "ubiquitous." The BaaS business model serves as a new tool for banks to achieve this objective.

For non-bank companies, the BaaS business model is a way to improve customer loyalty and experience by offering new financial products through partnerships with banks.

An Example of BaaS...

To illustrate this topic with a concrete example, let's say you are an e-commerce company that wants to offer users a credit facility or another financial instrument that only banks are authorized to provide. Your goal is to increase sales by enabling direct payment during checkout on your platform without redirecting the user to third-party electronic channels.

This is where BaaS comes in. With a BaaS agreement in place with a bank, you can offer the bank's financial services to your users on your own platform, without the need for them to redirect to the bank's electronic channels.

In this scenario, your customer becomes a customer of the bank providing the financial service, but you can also offer a financial product that facilitates the purchase for your customer with a frictionless flow without leaving your platform.

Therefore, even if you do not have a banking license, as an e-commerce site, you have the opportunity to work with bank muscles.

It is worth noting that business models offered under BaaS are not limited to this and could include services such as card issuance or loyalty points.

Frequently Asked Questions about BaaS Legislation in Türkiye

The BaaS business model in Türkiye is regulated by the Banking Regulation and Supervision Agency ("BRSA") through the "Regulation on the Principles of Operation of Digital Banks and Service Model Banking" ("Regulation"), which came into effect in 2021.

To provide a better understanding of how BaaS is regulated in Türkiye, we have compiled a list of frequently asked questions related to BaaS legislation.

1) What are the regulations related to the BaaS business model in Türkiye?

The BaaS business model is regulated in Türkiye primarily by the Regulation on the Principles and Service Model Banking of Digital Banks ("Regulation"), which came into effect on January 1, 2021.

When examining the references in the Regulation, we can say that the following regulations also indirectly affect the BaaS business model:

  • Regulation on Information Systems and Electronic Banking Services of Banks published in the Official Gazette dated 5/3/2020 and numbered 31069 ("Information Systems Regulation"),
  • Regulation on Banks Receiving Support Services published in the Official Gazette dated 5/11/2011 and numbered 28106 ("Support Services Regulation"),
  • Regulation on Sharing Confidential Information published in the Official Gazette dated 4/6/2021 and numbered 31501 ("Confidentiality Regulation"),
  • Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relationship in Electronic Environment published in the Official Gazette dated 1/4/2021 and numbered 31441 ("UKTY").

It should be noted that there is also a draft Directive on Criteria to be Provided for Identity Verification and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationship in Electronic Environment ("Identity Verification and Transaction Security Directive") published a couple of months ago whereas the same has not entered into the force yet.

2) Which regulatory and supervisory authority is responsible for the BaaS business model?

In Türkiye, the BRSA regulates and supervises the BaaS business model.

3) How is Service Model Banking defined in the legislation?

Service Model Banking is defined under the Regulation as follows:

Service Model Banking: "A service model in which customers connect to the banking services of the service bank directly through open banking services by using the interface provided by interface providers."

Therefore, the BRSA has identified two actors for the BaaS business model: the "service bank" and the "interface provider".

These actors are defined as follows:

Interface Provider: "Capital companies established as businesses that enable their customers to perform banking transactions by accessing the banking services offered by the service bank through the open banking services of the bank via a mobile application or internet browser-based interface."

Service Bank:"Bank that provides service model banking services."

4) Which banks offer BaaS services?

Any bank that has obtained an operating license within the framework of Banking Law ?5411 — regardless of whether it is a traditional or digital bank — can offer BaaS services.

5) Can banks offer BaaS services to interface providers located abroad?

No, the regulation clearly stipulates that the service bank can only provide services to interface providers located domestically.

6) Who can be interface providers?

The regulation requires interface providers to be established as a capital company and be located in Türkiye. Companies that meet these requirements and offer services through electronic means, including mobile or web-based marketplaces, e-commerce companies, financial institutions (excluding banks), and others who offer their services via electronic media, can be interface providers.

7) Can banks be interface providers?

No, banks are prohibited from being interface providers under the Regulation. Therefore, it is not possible for a bank to offer its customers services -that is not covered by its own operating license- as an interface provider by obtaining banking services from another bank.

8) Can payment and electronic money institutions act as interface providers?

Although the Regulation doesn't explicitly forbid payment institutions (PIs) and electronic money institutions (EMIs) from acting as interface providers, these entities are not authorized to do so under the Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions (?6493). As a result, payment service providers are currently prohibited from acting as interface providers.

9) What banking services can banks offer under the BaaS business model?

Banks are permitted to offer banking services only for activities that fall within their own operational permissions or licenses.

10) Do banks need a separate license or license expansion to provide BaaS services?

As per the Regulation, banks do not need to request an expansion of activities from the BRSA to provide services to interface providers.

11) Who should establish the contract with the customer regarding banking services in the BaaS business model?

The provision of banking services subject to BaaS must be provided by the service bank. In this context, in order for the service bank to offer banking services to the customer of the interface provider, a contract must be established between the service bank and the customer in accordance with Banking Law ?5411.

12) Are there any requirements for the contract between the service bank and the customer?

The contract between the service bank and the customer is subject to the Banking Law. In this regard, if the relevant contract is established electronically, the process must be carried out in accordance with the UKTY.

13) What other information security obligations must the interface provider's platform comply with? Who is responsible?

The mobile application or internet browser-based interface used by the customer to access the services provided by the service bank must comply with the identity verification and transaction security obligations set forth in the Information Systems Regulations as well as the Draft Directive on Identity Verification and Transaction Security. In this regard, the interface provider and the service bank share responsibility.

14) Are there any technical criteria for the services that service banks will provide to interface providers under BaaS?

The BRSA has recently published a Draft Directive on Identity Verification and Transaction Security that specifies some technical criteria for Baas. However, it has not yet entered into force.

It should be noted that the regulation states that the BRSA has the authority to determine the technical criteria, procedures, and principles related to these services. Therefore, it is possible that the BRSA may issue further regulations in the future.

15) What is the legal status of the BaaS service relationship between the service bank and the interface provider?

In the context of BaaS services, the interface provider is considered to have a support service relationship with the service bank as per the Regulation. The interface provider acts as a support service provider within the scope of the Support Services Regulation, providing services to the service bank. It also acts as an intermediary, enabling the establishment of a contractual relationship between the service bank and the customer, or providing the customer with the opportunity to access banking services from the service bank via the interface it provides within the scope of this contract.

16) Can the interface provider accept deposit or participation funds or can the relevant funds be deposited to the service bank through the interface provider?

It is not possible for the interface provider to accept the specified funds or to deposit the relevant funds to the service bank through the interface provider, except in cases where the interface provider is a payment service provider.

17) Can the service bank collect credit card requests through the interface provider?

Yes, the service bank can receive support services from the interface provider by collecting credit card requests through the service channels of the interface provider.

18) What is the process that the interface provider and the service bank need to follow to provide BaaS service?

Once the service bank and interface provider agree on the scope and details of the BaaS service, fulfill information security obligations, and negotiate the contract, they must apply to the BRSA for permission. After obtaining the BRSA's approval, they can sign the BaaS contract.

19) What should be included in the contract between the service bank and the interface provider?

The Regulation mandates that the contract between the service bank and the interface provider address certain issues related to the BaaS service. These issues should include support services and information systems, as stipulated by the Support Services Regulation and Information Systems Regulation.

20) Is it possible for an interface provider to work with more than one service bank?

Yes, the regulation explicitly permits this, provided that the interface provider obtains permission from the BRSA.

21) Is it necessary to establish a contract between the interface provider and the customer for the BaaS service?

Yes, it is necessary to establish a contract between the interface provider and the customer for the BaaS service.

The relevant contract should:

  • Clearly emphasize that the interface provider is not a bank that has obtained an operating license, or if it has not obtained the necessary operating licenses, that it is not a payment service provider or another financial institution subject to operating permits.
  • Clearly state that the banking services subject to BaaS are provided by the service bank.
  • Specify which services are provided by the service bank, the responsibilities of the service bank, the contract provisions between the service bank and the customer, and the other terms of use of the service bank services.
  • Provide the website address and call center phone number of the service bank for customer requests and complaints.

22) What information should the interface provider include on its website regarding BaaS services?

The interface provider is required to display a sample of the standard contract between the customer and the service bank, as well as the standard contract between the service bank and the customer regarding the BaaS service, in a visible location on the homepage of its website. Additionally, the provider must include the logo and name of the service bank(s) from which the service is obtained on the homepage.

23) What information should a bank include on its website if it offers BaaS services?

The service bank should provide information on its website about the scope of the services it offers. This includes a list of all interface providers it serves, and which banking services it provides to them.

24) Is it possible for the service bank to issue a card payment instrument for the interface provider under BaaS?

Yes, it is possible. However, in such a case, the bank's name and logo must be clearly visible on the payment instrument.

25) What should interface providers pay attention to during marketing of BaaS services?

Interface providers are not allowed to give the impression that they offer banking services to customers. This means they cannot use terms like "payment service provider such as bank" or "payment institution and electronic money institution" in their name, documents, advertisements, or public statements.

In addition, interface providers cannot use language that suggests they function as a bank or payment service provider, take deposits or investment funds like a bank, or accept funds like a payment service provider.

When promoting BaaS services, interface providers should always make it clear that these services are provided by the service bank, not by the interface provider themselves.

Overall Evaluation

After reviewing the regulation, it appears that BRSA takes a liberal and distinct approach to regulating the BaaS business model, without getting bogged down in too many specifics. This technology-neutral approach means that innovation will be encouraged within BaaS business models.

Therefore, when service banks and interface providers apply to BRSA for permission, certain aspects of the BaaS business model will be determined by taking into account relevant time, technology, and market conditions. As more examples of BaaS business models emerge, we can expect these applications to take shape in the coming years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.