The main purpose of the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions is to regulate the procedures and principles regarding payment and securities settlement systems, payment services, payment institutions and electronic money institutions. In this framework, Law No. 6493 has defined the relevant activities and the companies that will engage in these activities, and has determined the basic principles regarding their establishment and activities.
The law avoided going into details about the corporate governance of the relevant institutions and left the authority to make sub-regulations on this issue to the CBRT. According to the articles of the Law on payment institutions (article 14/6) and electronic money institutions (article 18/6), the procedures and principles regarding corporate governance principles and internal systems of institutions will be determined by a regulation to be issued by the CBRT. The CBRT used this authority given by the Law with the Regulation on Payment Services and Electronic Money Issuance and Payment Providers dated 1 December 2021.
The fourth part of the regulation, titled Corporate Governance, includes articles on senior management, internal control, risk management, accounting and reporting, independent auditing, CBRT audit and oversight, business continuity and information system audits.
- Board of Directors
The board of directors of organizations cannot be less than three people, including the general manager. The general manager is a natural member of the board of directors. Members of the board of directors are required to have negative qualifications, such as not having gone bankrupt, not having a share in bankrupt banks, and not having committed various crimes, which are among the conditions sought for founders of the banks in the Banking Law No. 5411.
Issues under the responsibility of the board of directors:
- Establishing organizational structure and duties and responsibilities,
- Determining the risk appetite based on the strategy, policy and implementation procedures of the internal control and risk management units and risk types,
- Establishment of information systems policy and control process,
- Establishment of customer complaint management system,
- Establishing internal control and risk management policies with the principles and procedures of protecting funds,
- Establishing the procedures and principles regarding the selection of the representatives and the management and monitoring of the risks arising from the representatives,
- Creating work flow plans related to activities,
- Carrying out activities related to the management and auditing of information systems.
The general manager must have at least seven years of business or finance experience and a minimum of a bachelor’s degree. There is no qualification requirement for the other members of the board of directors within this framework. However, it should be noted that the detailed curriculum vitae of the members of the board of directors will be submitted to the CBRT in detail in Annex-9 of the Regulation.
- Internal Control System
It is mandatory for organizations to establish an adequate and effective internal control system. Two main purposes of this system have been determined:
- To ensure that the activities are carried out effectively and efficiently in accordance with the Law and other relevant legislation, internal regulations and practices.
- To ensure the integrity, reliability and timely availability of information of accounting and reporting systems.
The minimum requirements for the internal control system to achieve these goals are determined as follows:
- Establishing a functional separation of duties within the organization, sharing of responsibilities, determining authority and responsibilities clearly and in writing,
- Creation of internal control activities,
- Creating work flow charts showing the controls and work steps on the business processes of the organization,
- Establishing information systems in accordance with the structure and complexity of the activities,
- Preparation and annual testing of business continuity and contingency plans.
Five different activities are included in the framework of internal control activities:
- Control of transactions for the execution of activities,
- Control of communication channels and information systems and financial reporting system,
- Controlling the operation of the process of responding to complaints,
- Control of compliance with the regulations within the scope of Law No. 5549 and related legislation, internal regulations and practices and other legislation and the processes operated for this purpose,
- Control of activities carried out by means of representative or outsourcing.
As can be seen, internal control activities will consist of the control of transactions related to the basic activities of payment and electronic money institutions and the reflections of these activities in the fields of communication with customers, information systems, financial reporting, compliance, representative transactions, and external service procurement.
An internal control system should be established to ensure that the information produced within the organization is reliable, complete, traceable, consistent and in the appropriate form and quality to meet the needs. In order to design the control set for the execution of the activities, the business model of the organization should be analyzed in detail and all the operations related to the execution of the activities should be determined. Work flows related to these transactions should be prepared in detail, and each point in the work flow should be associated with an authority level in the company’s organizational structure. Then, control points should be determined for each point in the workflows according to their importance levels and financial impact in case of a possible weakness.
In terms of the design of the internal control system, while the four titles excluding the control of the operations for the execution of activities can be considered as sub-titles of this first title, the fact that the legislation counts them as the main category indicates the importance given to these titles. Controls related to compliance risk (KYC and AML/CFT controls) are one of the most important components of internal control activity. Control of information systems and financial reporting system is important in terms of carrying out company activities under a certain assurance. Control of customer complaints and communication channels is an integral part of the internal control framework for early detection of potential losses and malpractices. The control of the activities carried out through the procurement of representatives or outsourcing services deserves to be considered as a separate topic considering the risks of these activities.
- Organizational Structure of Internal Control System
Internal control activities can be carried out directly under the board of directors or under a non-executive board member other than the general manager. Although an audit committee is not structured in the Law No. 6493 and its sub-legislation as in the banking legislation, payment and electronic money institutions can also manage the relevant functions by forming an audit committee within the board of directors.
Internal control activities are carried out by internal control personnel, who have the necessary knowledge and experience and do not have executive duties, in accordance with the organization’s operating structure and scope. Internal control personnel report to the board of directors, at least as of the end of June and December, regarding the internal control activities carried out. Internal control personnel must be full-time employees of the institution.
- Risk Management System
Organizations are required to establish an effective risk management system in order to identify, measure, monitor, control, report and manage risks in line with the scope and structure of their activities and in line with changing conditions. This system should cover the following risks in addition to the risks related to the main activities:
- Risks related to money laundering and terrorist financing
- Risks arising from other organizations related to the realization of activities
- Risks associated with participating payment systems
- Risks arising from external service providers
- Risks arising from representatives
One of the most important components of the risk management system is the management of risks for information systems. Organizations need to address this issue in detail, depending on the type and complexity of their activities. In this context, the relevant legislation and national and international standards should also be taken into account. All factors such as agents, related organizations, and systems should be taken into account when addressing risks arising from information systems.
The rules, procedures and policies related to the risk management system and the changes to be made in these must be in writing.
Within the scope of risk management activities, necessary measures should be taken by conducting research, primarily on social media and online platforms, in order to determine whether the services offered by the company are used in illegal activities, especially illegal betting.
- Organizational Structure of Risk Management System
Risk management activities, depending on directly to the board of directors or a non-executive board member other than the general manager, is carried out by risk management personnel who have the necessary knowledge and experience and do not have an executive duty. The risk management unit reports its operating results to the board of directors, at least as of the end of June and December. In addition, a comprehensive risk assessment regarding information systems should be made at least once a year, and the results and action plan should be submitted to the Board of Directors and the CBRT in January each year. This work should also be done before a significant change in information systems.
Although the legislation clearly foresees full-time work for internal control personnel, the silence for risk management can be interpreted as risk management personnel can be employed on a part-time basis.
- Accounting, Reporting and Independent Audit
Institutions are required to account for their activities in accordance with TFRS and have their year-end financial statements audited by independent audit firms that have been authorized to conduct audits in companies under the control of Capital Market Board and Banking Regulation and Supervision Agency. The year-end audit report must be sent to the CBRT by May 15 at the latest. The CBRT has the right to decide that the independent audit activity is insufficient and to request an additional independent audit.
- Audit and Regulatory Reporting
The CBRT is responsible for implementing regulations and sub-regulations and monitoring and supervising the issues regarding their implementation. CBRT audit includes off-side supervision and on-site auditing over information and documents transmitted by institutions. Institutions are obliged to regularly report in the format, method, frequency and time period to be determined by the CBRT.
- Business Continuity Plan
Organizations should create a business continuity plan that covers emergency and contingency scenarios, interruptions and losses in the event of these scenarios, and test it regularly. The business continuity plan should also cover issues related to branches and agencies, critical operations and resources, and external service providers.