Board responsibilities in corporate compliance under Turkish law have become one of the most important issues for shareholders, founders, foreign investors, listed companies, and regulated businesses operating in Türkiye. In practice, Turkish compliance is not built around a single “corporate compliance act.” Instead, it is shaped by the Turkish Commercial Code, capital markets regulation, AML rules, personal data protection law, and, in some sectors, banking and other prudential frameworks. That is why any serious discussion of corporate compliance in Türkiye must begin with the board of directors. Under Turkish law, compliance is not only a management or legal-department issue. It is also a governance issue, and governance begins with the board.
The starting point is structural. Article 365 of the Turkish Commercial Code provides that a joint stock company is managed and represented by the board of directors. Article 369 then imposes a duty of care and loyalty, stating that board members and third persons entrusted with management must perform their duties with the care of a prudent manager and protect the interests of the company in good faith. Read together, these provisions show that the board is not a ceremonial organ under Turkish law. It is the primary corporate organ responsible for managing the company and exercising oversight with diligence. That duty-of-care standard is the legal foundation on which Turkish board-level compliance responsibilities are built.
The Board’s Non-Delegable Compliance Role
The clearest statutory anchor for board responsibility appears in Article 375 of the Turkish Commercial Code. The Ministry-hosted text states that the board’s non-delegable and inalienable duties include top-level management of the company, determining the management organization, establishing the necessary order for accounting, financial audit, and financial planning, appointing and dismissing managers and signatories, and supervising whether persons entrusted with management comply with law, the articles of association, internal directives, and the board’s written instructions. The same article also assigns responsibility for keeping key corporate books, preparing the annual activity report and corporate governance statement, preparing the general assembly, implementing general-assembly resolutions, and notifying the court in cases of over-indebtedness. This is not a narrow company-law rule. It is a broad compliance rule in substance, because it places legal conformity, oversight, financial integrity, and reporting inside the board’s own non-delegable sphere.
This matters because many companies misread delegation as dilution of responsibility. Turkish law allows delegation, but not abdication. The board may structure management, appoint executives, and allocate functions, yet Article 375 still keeps ultimate supervision and certain core decisions at board level. For compliance purposes, the practical consequence is simple: a board cannot defend itself by saying that AML was handled by compliance staff, privacy by IT, accounting by finance, and regulatory correspondence by outside counsel if the board never built a system to oversee whether those functions were operating lawfully. Turkish law does not require the board to perform every operational task personally, but it does require the board to create and supervise the management architecture through which those tasks are performed.
Delegation Requires Structure, Not Informality
Article 367 of the Turkish Commercial Code is especially important for compliance design. It provides that the board may be authorized by the articles of association to delegate management, wholly or partly, to one or more board members or to third persons through an internal directive. The same provision states that this internal directive must regulate the company’s management, define the necessary duties, indicate the positions, and, in particular, determine who is subordinate to whom and who is obliged to provide information to whom. This is a deeply compliance-oriented rule. It means that delegation in Turkish law must be documented, hierarchical, and information-based.
For compliance teams and boards, this has direct operational consequences. A company that has grown quickly, especially a founder-led company, often relies on informal authority lines. But Turkish law points in the opposite direction. If compliance responsibilities are scattered across legal, finance, HR, IT, and operations, the board should be able to show how those responsibilities are mapped, where they sit in the organization, and how reporting moves upward. A weak or missing internal directive may not create the underlying compliance breach by itself, but it often makes later defense much harder because it becomes unclear who was supposed to know, who was supposed to act, and who was supposed to escalate the issue.
Information Rights, Conflicts, and Board Process
Board responsibility for compliance is inseparable from access to information. Article 392 of the Turkish Commercial Code states that each board member may request information about all business operations, ask questions, and conduct examinations, and that a request for books, records, contracts, correspondence, or documents cannot be rejected. The same article states that persons entrusted with management and committees are obliged to provide information at board meetings, and it gives the member a right to apply to court if certain information requests are refused outside the board meeting context. This is an important compliance mechanism because it means Turkish law expects the board to govern through information, not through assumption.
Conflict-of-interest rules reinforce this. Article 393 prohibits a board member from participating in deliberations where the member’s own external personal interest, or that of certain close relatives, conflicts with the company’s interest. The same provision imposes liability where an interested member participates improperly and other members fail to object even though the conflict is objectively known. Article 395 separately restricts board members from transacting with the company without general-assembly permission, and Article 396 contains a non-compete rule that prevents board members, without general-assembly approval, from carrying out business of the same type as the company for their own or another’s account or joining a competing company as an unlimited-liability partner. These provisions matter for compliance because they show that Turkish board responsibility is not limited to system-building. It also includes personal integrity, recusal discipline, and protection against self-interested decision-making.
Risk Oversight Is a Legal Duty, Not a Best Practice
Article 378 of the Turkish Commercial Code gives risk management a formal legal place in Turkish corporate governance. According to the official text, in listed companies the board must establish, operate, and develop an expert committee for the early detection of risks that may endanger the company’s existence, development, and continuity, and for implementing necessary measures and remedies and managing risk. The same text states that the committee reports to the board every two months, identifies dangers if any, and indicates remedies, and that the report is also sent to the auditor. This is one of the clearest statutory examples of the board’s compliance role under Turkish law.
The Public Oversight Authority’s principle decision on the auditor’s report regarding the risk early detection system and committee confirms this governance structure. The KGK document explains that the “committee” is the risk early detection committee established by the board under Article 378, that the “system” is the system established by the board to identify, analyze, report, and allocate responsibilities for risk management, and that the auditor’s role includes assessing whether the system and committee exist and function within the Article 378 framework. In other words, Turkish law does not treat risk oversight as a voluntary governance fashion. It treats it as a statutory board function that can also become visible through the audit process.
Listed Companies Face Enhanced Board Expectations
For listed companies, board responsibilities in compliance become more explicit under capital markets regulation. The Capital Markets Board’s Corporate Governance Principles state that the board should establish internal control and risk management mechanisms appropriate for the company in order to minimize adverse effects on stakeholders, especially shareholders. The same official materials also show that listed companies are expected to form committees such as an audit committee and to disclose whether an internal control and risk management mechanism has been established. These are not abstract aspirations. They are concrete governance expectations attached to public-company status in Türkiye.
The audit committee is especially relevant to compliance culture. The Capital Markets Board’s official English principles state that the audit committee should evaluate and resolve issues pertaining to complaints and suggestions regarding accounting practices, the internal control system, and the independent audit. That statement is highly significant. It means that in listed companies, the board’s compliance role is not exhausted by approving policies. Through the audit committee, the board is also expected to ensure that internal reporting, accounting integrity, internal controls, and audit-related concerns are heard and handled through a formal governance channel.
Board Responsibilities in AML and Financial-Crime Compliance
Board responsibility also appears clearly in Turkish AML compliance. MASAK’s compliance-program regulation, as reflected in official MASAK materials, defines the compliance officer as a person employed to ensure compliance with obligations introduced by law and secondary legislation, and explicitly states that the compliance officer is attached to the board of directors or to one or more board members to whom authority has been delegated. MASAK’s official guidance also states that obliged parties and financial groups must review their compliance-program measures at least every two years and make necessary updates. These features show that, in the Turkish AML framework, compliance is not designed as an isolated back-office function. It is board-linked by design.
This board linkage is not cosmetic. A board in a MASAK-regulated entity should understand that AML compliance is a governance responsibility involving policy approval, reporting channels, risk oversight, resourcing, and internal review. If the compliance officer is formally connected to the board, the board should expect to receive meaningful information, ask questions, and ensure that the institution’s AML framework is being updated when the business model or risk profile changes. In Turkish compliance practice, a board that approves an AML program once and then ignores it for years is not acting consistently with the structure of the MASAK regime.
Board Responsibilities in Data Protection and Cyber Compliance
The Turkish data-protection framework does not specifically say “the board shall do X” in the same way Article 375 of the Commercial Code does, but the board’s responsibilities still arise clearly when the two frameworks are read together. Article 12 of the Personal Data Protection Law states that the data controller must take all necessary technical and organizational measures to provide an appropriate level of security, must ensure protection against unlawful processing and unlawful access, and must carry out or procure the necessary audits to ensure implementation of the law. It also says that where processing is carried out by another natural or legal person on behalf of the controller, the controller remains jointly responsible with the processor for the necessary measures. The Authority’s official guidance further states that the 72-hour breach-notification rule applies once the controller becomes aware of the breach.
For a Turkish company, those obligations inevitably come back to the board through Article 375’s non-delegable duties of organizational design, financial and audit order, and top-level supervision. If the company is a data controller, the board cannot safely treat privacy and cyber controls as purely technical matters. The board should ensure that the company has organizational measures, processor oversight, internal auditability, and a working incident-escalation model. This is particularly true because breach response in Turkey is time-sensitive. A board that never asked how the company would detect, escalate, and notify a breach may have difficulty demonstrating that it exercised appropriate oversight of compliance-critical systems. That is a legal inference from the combined structure of the Turkish Commercial Code and the KVKK, but it is a strong and practical one.
Regulated Sectors Face Higher Board Burdens
Board responsibility becomes even heavier in regulated sectors. In banking, for example, the BDDK’s Regulation on Internal Systems and ICAAP states that its purpose is to lay down procedures and principles concerning internal control, internal audit, risk management, and ICAAP systems to be established by banks and the functioning of those systems. BDDK’s corporate governance principles for banks further state that the board should ensure policies for identifying and preventing conflicts of interest, monitor the conformity of the bank’s activities with the law and internal policies, determine authorities and responsibilities, and monitor whether senior management complies with the board’s policies. These sector-specific rules show that, in Turkish regulated industries, board responsibility for compliance is not merely general. It is intensified and made more detailed by the sector regulator.
This matters in practice because a board in a regulated industry cannot rely solely on general company-law compliance. It must also understand the sector-specific internal-systems framework. For banks, BDDK expects structured internal systems. For capital-markets-facing issuers, SPK expects board-level internal control and audit committee oversight. For MASAK-obliged entities, the AML system is attached to the board or delegated board member. Turkish boards in regulated sectors therefore need to ask a more advanced question than “are we generally compliant?” They need to ask whether their sector’s supervision model expects extra board reporting, internal systems, or committee functioning beyond the Commercial Code baseline.
Liability Exposure for Boards
Board responsibility in Turkish compliance law has a liability dimension as well. Article 553 of the Turkish Commercial Code states that founders, board members, managers, and liquidators are liable for the loss they cause to the company, shareholders, and company creditors if they negligently breach duties arising from the law or the articles of association. The same article also says that where a duty or authority is lawfully delegated, the delegating persons are not liable for the acts and decisions of the delegates unless it is proved that they failed to exercise reasonable care in selecting them. This is a highly important rule for compliance because it rejects two extremes at once: it does not make the board automatically liable for every delegate’s mistake, but it also does not allow careless delegation without consequence.
For compliance purposes, that means a board should think about liability in terms of system quality. If the board selected competent managers and compliance officers carefully, established reporting lines, approved a workable internal framework, and supervised the system in a documented way, Article 553 may help limit exposure. But if the board delegated without structure, ignored warning signs, failed to create oversight, or tolerated evident non-compliance, the legal risk increases materially. In Turkish law, director liability is therefore closely connected to the quality of the board’s compliance architecture.
What a Board Should Actually Do
A Turkish board that wants to meet its compliance responsibilities should start with organizational clarity. It should know which matters remain at board level, what has been delegated, whether an internal directive exists, who reports to whom, and how material legal or regulatory risks are escalated. It should then ensure that the company has functioning internal control, risk, data-security, and regulatory-reporting processes, and that these are not just written down but actually used. In listed companies, the board should also ensure that the audit committee and other required committees are functioning as real oversight mechanisms rather than formal placeholders.
The second step is to build a reporting culture that the board can use. A board cannot supervise what it never sees. Management should provide regular, structured updates on legal risk, regulatory correspondence, internal investigations, material incidents, AML developments, cyber and privacy events, and control deficiencies. Board members should actively use their information rights under Article 392 rather than wait passively for management summaries. In Turkish law, a board that never asks questions is rarely well positioned to argue later that it exercised prudent oversight.
The third step is periodic review. Risk frameworks change, businesses scale, data flows expand, vendors proliferate, and regulators update expectations. MASAK’s official guidance says compliance-program measures should be reviewed at least every two years. The Capital Markets Board’s governance principles require listed companies to establish internal control and risk management mechanisms, and the audit committee is expected to address accounting and internal-control complaints. The logic across these regimes is consistent: compliance is not a one-time approval. It is a system that must be reviewed, tested, and updated.
Conclusion
Board responsibilities in corporate compliance under Turkish law are broad, substantive, and impossible to reduce to symbolic governance language. The Turkish Commercial Code places top-level management, organizational design, financial order, supervision of management, and certain core reporting and solvency duties directly on the board. Article 378 formalizes board-level risk oversight in listed companies. SPK’s corporate governance framework expects internal control, risk management, and audit committee involvement. MASAK’s AML system links the compliance officer to the board. The KVKK’s data-security and audit obligations, when read together with the board’s supervisory duties under the Commercial Code, make privacy and cyber oversight part of board governance as well.
For that reason, the most accurate way to understand Turkish board responsibility is this: the board is not expected to perform every compliance task itself, but it is expected to build, resource, supervise, and periodically re-evaluate the system through which compliance tasks are performed. In Türkiye, that is the difference between nominal governance and real governance—and, very often, between manageable regulatory risk and personal liability exposure.
Yanıt yok