Open Banking Compliance
Open banking frameworks, from PSD2 in the EU to Türkiye's developing open-banking regulations, require fintechs, banks, and third-party providers to meet precise technical, contractual, and regulatory standards before accessing or exposing account data.
Open banking sits at the convergence of payments regulation, data protection, and commercial contracting. Under PSD2, third-party providers (TPPs) seeking to offer Payment Initiation Services (PIS) or Account Information Services (AIS) must hold appropriate regulatory authorisation, register under a qualified certificate framework, comply with Regulatory Technical Standards on Strong Customer Authentication, and negotiate API access agreements with account-servicing payment service providers (ASPSPs). The forthcoming Open Finance framework (FIDA) in the EU will extend similar access rights to a broader category of financial data.
In Türkiye, the BDDK and TCMB have introduced open-banking provisions within the broader payment services regime, requiring defined technical interfaces and bilateral framework agreements. Turkish banks and fintechs engaging in account-data sharing must comply with TCMB circulars on open banking APIs, data residency rules under the Banking Law and KVKK, and security standards set by BKM.
GlobalB Law advises TPPs and ASPSPs on the full spectrum of open-banking obligations: regulatory licensing strategy, API access agreement negotiation, SCA implementation, GDPR and KVKK data-use consents, and preparation for the Open Finance transition. Our cross-border practice ensures that advice covers the interaction between EU PSD2/FIDA requirements and Turkish domestic rules for clients operating in both markets simultaneously.
What we do
Services in this practice
常见问题
常见问题解答
Does a company providing AIS need a full PI licence or just a registration?
Under PSD2, pure Account Information Service Providers (AISPs) require registration with the NCA rather than full authorisation, a lighter-touch process with lower capital requirements. However, if the same entity also provides PIS or any other payment service, full PI authorisation is required. We assess the right regulatory category for your specific product before filing.
What is the difference between PSD2 open banking and the forthcoming FIDA open finance framework?
PSD2 mandates access only to payment accounts held at ASPSPs. FIDA (the Financial Data Access Regulation, proposed by the European Commission) extends data-sharing obligations to a wider set of financial products including mortgages, insurance policies, pension products, and investment accounts. FIDA is expected to enter into force progressively from 2026. We advise clients on building data-access architectures that are compliant with PSD2 today and FIDA-ready for tomorrow.
How does Turkish open banking regulation differ from PSD2?
Türkiye's framework shares some conceptual architecture with PSD2 but operates under the domestic Banking Law, BDDK/TCMB regulations, and BKM technical standards rather than an EU directive. Key differences include the consent and data localisation requirements under KVKK, bilateral rather than open-API models in some implementation areas, and distinct licensing categories. Firms operating in both Türkiye and the EU need a carefully structured dual-compliance approach.
开始咨询
预约咨询
向我们介绍您的事务,我们将为您匹配合适的律师。