Open Banking is the ability of a 3rd party fintech to access account information and initiate payments with the approval of the bank customer. It operates with the infrastructure of BKM and TRSPI in Türkiye; TPP (Third Party Provider) license is required.
3 main roles
- AISP (Account Information Service Provider): Reading account information; personal finance apps.
- PISP (Payment Initiation Service Provider): Payment initiation; e-commerce.
- CBPII (Card-Based Payment Instrument Issuer): Card product issuance.
TPP license + certification
Technical requirements
- OAuth 2.0 + OpenID Connect.
- FAPI (Financial-grade API) profile.
- mTLS + JWS signature.
- PSD2 SCA (Strong Customer Authentication): MFA + dynamic linking.
Is sharing the Bank API mandatory?
There is no compulsory sharing at the EU PSD2 level in Türkiye yet. BKM's services such as "Paribu Open Banking" are optional; bank's participation decision.
Data retention period?
"Purpose bound" within the framework of KVKK. Maximum 90 days rolling for AIS (unless user consent is renewed).
Is PSD2 compliance necessary for Türkiye?
If you are selling to the EU market, yes. BRSA + TRSPI is sufficient for the Turkish domestic market.
How is user consent management?
Open, revocable, granular (account-based) consent. Compatible with KVKK m.5 + m.11. Show what data was accessed and the duration in the confirmation panel in the UI.
Who is responsible if the bank API malfunctions?
It is decided in the SLA agreement. If annual downtime is > 1%, customer compensation liability may arise on the fintech side; Multi-bank integration is recommended as a backup.
Relevant legislation
- Law No. 6493 — Payment & electronic money; licensing, operating permit.
- BRSA Regulations — Payment institution / EML permission, capital, reporting.
- 5549 SK — MASAK; KYC, STR, regular activity.
- KVKK + GDPR — Data security, cross-border transfer.
- PCI-DSS — Card storage; PCI level 1-4 compliance.