Open Banking is a great opportunity for fintech; However, if the license + security + KVKK triangle is not established from the beginning, the risk is great.
YÖS license
- BRSA regulation + 6493 SK.
- Minimum capital 5M TL.
- Internal control + risk + compliance.
API security
- OAuth 2.0 + OpenID Connect.
- mTLS certificate.
- Rate limit + anomaly detection.
Bank stakeholder agreements
- SLA + uptime.
- Data responsibility sharing.
- Communication in case of breach.
Frequently asked
How should customer consent be obtained?
Explicit + specific + revocable; e-signature is recommended.
How long does the bank API last?
180 days is standard; It can be extended with an additional contract.
Who is responsible if there is a data breach?
Fintech in general; Shared if there is a violation via the bank API.
Relevant legislation
- Law No. 6493 — Payment & electronic money; licensing, operating permit.
- BRSA Regulations — Payment institution / EML permission, capital, reporting.
- 5549 SK — MASAK; KYC, STR, regular activity.
- KVKK + GDPR — Data security, cross-border transfer.
- PCI-DSS — Card storage; PCI level 1-4 compliance.
Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case.